Coaching

Virtual Network Optimization Summary

March 15, 2018

Features available to optimize virtual networks are described in the following table:

Feature Description
Virtual Machine Queue (VMQ) The Virtual Machine Queue (VMQ) allows network traffic received on the virtual network adapter to be distributed across multiple CPU cores.

  • This feature is enabled by default.
  • The physical network adapter must support this feature.
  • The VM must have more than one core allocated to it.
IPSec Task Offload (IPSecTO) IPSec Task Offload (IPSecTO) allows the security association (SA) for IPSec to be transferred to the physical network adapter for processing.

  • SAs are security keys for the encrypted session.
  • In IPSecTO, traffic encryption is performed by the physical network adapter.
  • The physical network adapter must support this feature.
  • You can specify a maximum number of SAs that can be transferred to the physical network adapter.
DHCP Guard DHCP Guard prevents a VM from being used as a rogue DHCP server. When DHCP Guard is enabled, the hypervisor drops any DHCP packets coming from the network adapter.
Router Guard Router Guard prevents the VM from being used as an unauthorized router.
Port Mirroring Port Mirroring copies traffic to another port. Port Mirroring is useful when evaluating traffic on the network, such as:

  • Packet sniffers
  • Intrusion Detection Systems (IDS)
  • Intrusion Protection Systems (IPS)

When you set up port mirroring, you specify the port as either the source or the destination.
NIC Teaming NIC Teaming, also known as Load Balancing/Failover (LBFO), allows a network adapter to be part of a team in the guest OS. NIC teaming must be enabled on the network adapter in the hypervisor to work. Be aware of the following facts about NIC teaming:

  • NIC teaming provides bandwidth aggregation.
  • NIC teaming provides traffic failover if a network component fails.
  • You cannot run NIC teaming on a Windows 8 or Windows 8.1 Hyper-V VM.
  • You can use the NIC teaming User Interface and NIC teaming Windows PowerShell cmdlets on a Windows 8 or Windows 8.1 machine to manage teaming on Windows Server 2012 or Windows Server 2012 R2.

When configuring NIC teaming keep the following in mind:

    • You can configure NIC teaming in one of the following ways:
      • Switch-independent teaming allows adapters in a team to be connected to different switches. If the NIC team is being used for failover only and not bandwidth aggregation, the NIC team must be configured as switch-independent.
      • Switch-dependent teaming requires adapters to be connected to the same switch. You can implement switch dependent teaming in one of the following two ways:
        • Generic or static teaming requires that the switch and the host identify the links in the team.
        • Link Aggregation Control Protocol (LACP) teaming uses LACP to dynamically set the links between the host and the switch.
    • Windows Server 2012 R2 supports the following traffic load distribution algorithms:
      • Hyper-V switch port algorithm directs traffic using the VM’s MAC address or the port on the Hyper-V switch to which the VM is connected. This algorithm is generally effective unless the host has only a few VMs.
      • Address hashing algorithm creates a hash value using the address of the packet. Packets with that hash value are assigned to an adapter. You can use Windows PowerShell cmdlets to specify how the hash is created:
        • Using source and destination TCP ports and source and destination IP addresses. This is the default creation method.
        • Using source and destination IP addresses only.
        • Using source and destination MAC addresses only.
      • Dynamic algorithm combines the Hyper-V switch port and the address hashing algorithms.
        • Outbound loads use a hash of TCP ports and IP addresses, rebalancing loads in real time. This methods also breaks TCP flows at naturally occurring breaks known as flowlets.
        • Inbound loads are distributed as if the Hyper-V port mode was in use.
    • Windows Server 2012 R2 supports NIC teaming in a VM. Virtual NICs connected to more than one Hyper-V switch can remain connected even though a physical NIC disconnects from the switch.
    • Multiple team interfaces can separate inbound traffic by VLAN.
    • If a team is connected to a Hyper-V switch, segregate the VLAN using the Hyper-V switch, not the NIC teaming software.

When using NIC Teaming, enable MAC spoofing to allow traffic from an alternate network adapter in the event of failover.
Port Access Control Lists (ACLs) Port Access Control Lists (ACLs) establish rules applied to a Hyper-V switch port that determine if a packet is allowed into or out of a VM. Port ACL rules have the following components:

  • Address specifies a local address or a remote address using an IPv4, IPv6, or MAC address.
  • Direction indicates the traffic direction the rule applies to: inbound, outbound, or both.
  • Action allows or denies the traffic.

For example, the following command allows the VM named vm206 to receive packets from and send packets to a local MAC address of 12-46-56-83-97-7C:

Add-VMNetworkAdapterAcl -VMName vm206 -LocalMacAddress 12-46-56-83-97-7C
-Direction Both -Action Allow
Meter Port ACLs Meter Port ACLs allow you to measure virtual adapter traffic sent to or received from a specified address range. For example, use the following command to measure outbound traffic to the remote address 189.207.0.0/24 from the VM named vm206.

Add-VMNetworkAdapterAcl -VMName vm206 -RemoteIPAddress 189.207.0.0/24
-Direction Outbound -Action Meter
Private Virtual Local Area Network (PVLAN) Private Virtual Local Area Network (PVLAN) allows you to configure switch ports to control VM communication. A PVLAN has three modes:

  • Isolated mode allows communication with only promiscuous ports in the PVLAN.
  • Promiscuous mode allows communication with all ports in the PVLAN.
  • Community mode allows communication with ports in the same community and any promiscuous ports in the PVLAN.

Creating a PVLAN in isolated mode allows you to restrict the traffic of all VMs in the PVLAN using only two VLAN IDs: the primary and the secondary. The following command isolates a VM named vm260 using the Primary VLAN 15 and the Secondary VLAN 176.

Set-VMNetworkAdapterVlan -VMName vm260 -Isolated -PrimaryVlanId 15 -SecondaryVlanId 176
Trunking Trunking allows a machine to see traffic from multiple VLANs. When trunking is enabled, a VM’s switch port receives traffic from all VLANs configured in an allowed VLAN list. For example, a command to allow the VM named vm110 to view traffic from VLANs 3 – 350 is shown below. In this example, traffic without a specified VLAN is handled as if it is from VLAN 322.

Set-VMNetworkAdapterVlan -VMName vm110 -Trunk -AllowedVlanIdList 3-350 -NativeVlanId 322
Storage quality of service (QoS) Storage quality of service (QoS) allows you to control the throughput of data to virtual disks. In Windows Server 2012 R2, you can:

    • Use Hyper-V Manager to configure the maximum and minimum Input/Output operations per second (IOPS) value for each hard disk in a VM.

Normalized IOPS is used for settings. IOPS is measured in increments of 8 KB. If no maximum is set, the system defaults to zero.

    • Use the WMI interface or Windows PowerShell to control and query the IOPS values.
    • Monitor and manage the effect of a virtual disk’s IOPS on other virtual disks in the VM.
    • Define thresholds and receive notifications when thresholds are not met.
    • Manage individual tenant I/O throughput in a multitenant environment.
    • Collect data throughput information for chargeback.

Storage QoS is not available for shared virtual hard disks.
Coaching
© Data Coincide, LLC 2010-2019