Welcome to the New Year and to a series of blog postings that will cover how to define, configure and manage Virtual Networks in VMM 2012 SP1. Over the next six months, we plan to cover the following topics using the initial blog “getting started with network virtualization” below as a starting point. Later posts in this series will go into more details and drill into specific settings and scenarios that may be of interest to you as you start to make use of this technology in your environment.
Topic | Description | Date |
Getting Started with Network Virtualization | Walk through the basic steps required to create an isolated network in VMM 2012 SP1. We will refer back to this initial posting, expanding specific topics and the implications behind certain decisions | Jan 2013 |
Logical Networks | Review considerations for the design of logical networks, network sites and use of vLAN and pvLANS | Feb 2013 |
Port Profiles and Port Classifications | The different types of port profiles, how and when to use them, how port profiles work in converged networks and what part port classifications play | Feb 2013 |
Logical Switches | Review differences between logical switch vs a virtual switch, how and why you would or would not use each of them in your environment, implications for converged networks | Mar 2013 |
Upgrade and Migration | The implications, gotchas and best practices for migrating to virtual networks from your existing VMM network architecture | Apr 2013 |
Hosting with VLANS | Best practice recommendations and implications of service providers and internal IT using vLANs for network isolation | May 2013 |
Hosting with Virtual Networks | Bring your own IP (BYOIP) and bring your own network (BYON) are some of the concepts that service providers want and need to provide to their customers. Outlines best practice configuration and recommendations of using this model of network isolation | Jun 2013 |
Advanced Topics | Introducing other components of System Center to effectively manage and report on the networks you’ve configured | Jul 2013 |
Feel free to suggest additional topics in the comments section as we develop the series and we’ll consider them for future blog entries. We look forward to your feedback and comments.
Assumptions
The focus of the blog series will be virtual networks and the new features introduced in VMM 2012 SP1 and given that, we assume that you have already upgraded to VMM 2012 SP1 and are ready to start taking advantage of the new features and functionality.
We also highly recommend that prior to working through the blog, you familiarize yourself with network virtualization and some of the key concepts and terms. The below link provides a good basis from which to start: http://technet.microsoft.com/en-us/library/jj134230.aspx
Introductions
As the primary authors and editors of the series, Damian Flynn (LionBridge Architect and Microsoft MVP) and Nigel Cain (Senior Program Manager, Windows Server and System Center) have been working together as part of LionBridge’s participation on the System Center 2012 SP1 TAP for well over a year. Together, they have presented a number of sessions on creating and managing Private/Hosted Clouds with System Center 2012 at TechEd and MMS and, over the last year, have been discussing the benefits of virtualized networking, how to migrate from pre-existing (pre-VMM 2012 SP1) networking and architecture best practices with Greg Cusanza (Microsoft PM - VMM networking feature owner), Alvin Morales (Microsoft Beta Support Engineer) and a number of others with a view to sharing these findings more generally. We hope this blog will help answer some of the key questions you have on virtual networking and help you get the most of your investment in System Center – Virtual Machine Manager.
Getting Started with Virtual Networking
In this first blog of the series, we will walk through the basic steps you need to follow in order to create an isolated network on Windows Server 2012 Hyper-V servers using System Center 2012 SP1- Virtual Machine Manager . This blog will form the foundation of our future postings which will drill into more detail. You’ll definitely want to bookmark this one as we will come back to it. Thanks to Alvin Morales from CSS Beta Support for helping build out this initial posting.
Note that in the following sections we are assuming you are working in a new environment and will use VMM to configure all elements of virtual networking. In reality, you may have existing Hyper-V hosts with some or all components of networking already pre-configured. We will discuss how to work with these environments in later blog posts.
Network Virtualization
The documentation for SC 2012 SP1 – VMM states that network virtualization provides the “ability to run multiple virtual network infrastructures, potentially with overlapping IP addresses, on the same physical network. With network virtualization, each virtual network infrastructure operates as if it is the only one that is running on the shared network infrastructure. This enables two different business groups that are using VMM to use the same IP addressing scheme without conflict. In addition, network virtualization provides isolation so that only virtual machines on a specific virtual network infrastructure can communicate with each other.”
The rest of this document will walk you through the steps required to configure network virtualization “so that only virtual machines on a specific virtual network infrastructure can communicate with each other”. In later blog postings, we’ll talk about how you would use this concept as a basis for a service in which your customers will “bring their own network”.
1 Create a Logical Network
A logical network is used to organize and simplify network assignments for hosts, virtual machines and services. As part of logical network creation, you can create network sites to define the VLANs, IP subnets, and IP subnet/VLAN pairs that are associated with the logical network in each physical location.
http://technet.microsoft.com/library/gg610588.aspx
Note that if you are planning to create an isolated network, you must check the option to “Allow new VM networks created on this logical network to use network virtualization”. As later stages of this process build on this logical network concept, if the option is not checked, it may be necessary for you to delete and recreate your logical network to get the desired behavior.
When you create a logical network, you can create one or more associated network sites. A network site associates one or more subnets, VLANs, and subnet/VLAN pairs with a logical network. It also enables you to define the host groups to which the network site is available.
2 Create an IP pool for the logical network
To ensure that each virtual machine has an IP address which can be used on the host network, network virtualization requires that you create an IP pool. IP addresses from this pool are otherwise known as Provider Address (or PA). The IP addresses you provide here will be routable between your Hyper-V hosts. We’ll cover more about this in later blogs, but you can find more information on IP address pools here: http://technet.microsoft.com/en-us/library/gg610590.aspx
3 Define a Logical Switch
You can consistently configure identical capabilities for network adapters across multiple hosts by using port profiles and logical switches. Port profiles and logical switches act as containers for the properties or capabilities that you want your network adapters to have across multiple hosts. Instead of configuring individual properties or capabilities for each network adapter on each host, you specify the capabilities in port profiles and logical switches, which you can then apply to the appropriate adapters. You can find more information on logical switches and port profiles at the following location:
http://technet.microsoft.com/en-us/library/jj721570.aspx
The following walks through the steps necessary to create a logical switch. The terms may be slightly confusing, but later blogs will add more details. Please note that the order of tasks is important and you will need to create an uplink port profile and virtual network adaptor port profile(s) before you can create the logical switch itself.
3.1 Create an Uplink Port Profile
The Uplink port profile defines the load balancing algorithms for teaming as well as linking the switch with the network site(s) that you defined in a logical network.
As we will talk about in the blog on virtual switches, be sure that the hosts you want to deploy this virtual switch to have been configured to support the logical network(s) you select below. Otherwise, you will be unable to assign the switch to that host.
3.2 Define Virtual network adapter port profiles
A number of network adapter port profiles have been created by default for your convenience. These profiles allow you to configure settings such as Virtual Machine Queue (VMQ), IPsec task offloading and Single-root I/O virtualization (SR-IOV) that can be applied to a given virtual network adaptor. You can also configure security to prevent MAC address spoofing, DHCP guard, router guard, guest teaming, IEEE priority tagging as well as the minimum and maximum bandwidth. For more information, see the following article: http://technet.microsoft.com/en-us/library/jj628155.aspx.
In terms of getting started, just accept the default list of port profiles for now. We’ll come back to these and how and why you should configure them in a future blog posting. For now, just remember that you can use virtual adaptor port profiles to define quality of service and to take advantage of some of the features provided by your host hardware.
3.3 Define Port Classifications
A port classification is essentially a label used to group profiles together, it is used in a similar manner to storage classifications in VMM in the sense they are used to hide complexity from users working with a cloud. As with port profiles before, we will accept the default list of classifications for now and discuss these in a later blog. If interested, you can find more details on port classifications and how they are used in the following article: http://technet.microsoft.com/en-us/library/jj628153.aspx.
3.4 Create the Switch
At this point, you can link the different port profiles and classifications in the form of a logical switch which can then be assigned to one or more Hyper-V hosts. Future blog posts will cover logical switch configuration and design choices in much more depth. For now, just enter a name for the new logical switch and accept the default setting (unchecked) for SR-IOV as shown below.
You can find more information on logical switches in VMM 2012 SP1 at the following location: http://technet.microsoft.com/en-us/library/jj628154.aspx
On the Uplink settings page of the Create Logical Switch Wizard, you need to indicate whether the logical switch will be connected using either a teamed or a stand-alone physical network adapter and, by specifying one or more uplink port profiles, the list of logical networks that it will be connected to.
The remaining task is to specify which port classifications will be available on this switch. These classifications control the properties such as the security settings and restrictions on network bandwidth that will be applied to the virtual network adapters that are connected to this switch.
In this example above, the switch will include only a medium bandwidth profile, which essentially means that all virtual machines that connect to the network (using this switch) will have their maximum bandwidth limited to a range defined by the VMM administrator.
4 Assign the logical switch to a host
The next step is will assign the logical switch we created to a host. You will need to go to the host properties and select the virtual switch section. In the new Virtual Switch button you will select “New logical switch” and assign the physical network adaptors which will be linked to the switch as shown.
Note: If the physical network adapter you selected will also be used to pass management traffic back to VMM, you will need to create a (new) Virtual Network Adapter and assign it to a VM network that has no isolation. See the later section on VM networks andhttp://technet.microsoft.com/en-us/library/jj628156.aspx for more details.
Once you apply the logical switch to the host in SC 2012 SP1 - VMM, it will create a virtual switch on the Windows Server 2012 Hyper-V host.
5 Create a VM (Virtual Machine) Network
New to SC 2012 SP1 - VMM is the fact that all virtual machines need to be connected to a Virtual Machine (VM) Network to be able to use and access network resources. You can find and define these networks through the VMs and Services section of the console. Please note that VM networks are not fabric components and hence are located in a different part of the console. The Create VM Network Wizard will introduce the key steps required to set up an isolated network. We will return to this topic in future blog posts – you can find more information on Virtual Machine Networks here: http://technet.microsoft.com/en-us/library/jj628157.aspx
The Isolation screen allows you to enable Isolation and the IP version you want the isolated network want to use. You can also select No Isolation if you want to have the VM network provide virtual machines with direct access to the logical network. This configuration essentially replicates the behavior you would find in SC 2012 – VMM.
Using isolation, you need to define the subnet which the virtual machines will be using. This will allow the virtual switch to create the network virtual routing tables. This will also help define the IP range used in the IP pool for the virtual machine network.
By default, the Virtual Network has no external connectivity, meaning that virtual machines connected to it will only be able to communicate with other virtual machines on that network as the dialog below suggests. In short, you need a VPN Gateway Device to provide a VPN link to an external network or a Gateway Device which allows machines on the virtual network to communicate with other local networks supported by that Hyper-V host in the local datacenter. For now, you can accept the default of no external connectivity.
Note that the remote and local networks options (highlighted) are greyed out in the dialog below as no gateway “provider” has been defined in VMM. We will discuss this and the different types of Gateways and why you would use them in much more detail in the blog posts on Hosting scheduled for later in the year.
6 Create an IP pool in the VM Network
Next, you need to define the IP range that can be assigned to virtual machines connected to this network. These addresses are referred to as customer addresses (CA). Be aware that when you create the range the first IP will be assigned to the switch. This means you will also have one less usable address in the range. You can create multiple IP ranges within the same customer address space. More information can be found here: http://technet.microsoft.com/en-us/library/jj721574.aspx
As an example, based on the subnet defined for your Virtual Machine (VM) Network, you will then create the IP pool. Assuming the subnet is 10.10.10.0 and the addresses for the pool start at 10.10.10.2 through 10.10.10.254 based on the mask, VMM will automatically reserve the first IP of the range (10.10.10.1) for assignment to the virtual switch. The reserved IP address is utilized by the network virtualization filter as a gateway between additional subnets in the same customer address space. You can also reserve IP addresses for other uses.
7 Assign the VM Network to a Virtual Machine
Once the virtual network has been created, virtual machines (VM) can be connected to it using the network adapter configuration settings – see example screenshot below. In the connectivity section of the dialog, simply assign the virtual machine to your new VM Network.
NOTE: Be aware that the MAC address assigned to the interface will be static rather than dynamic to allow the virtual machine to retain its MAC address as it migrates between hosts in your environment. As you are utilizing virtual networking, hosts require an additional update to the network virtualization (MS_NETWNV) lookup tables to ensure the MSNETWNV filter maintains connectivity and the MAC address is essentially used as part of the unique identifier for your virtual machines’ network traffic.
The assigned static MAC address will be taken from a MAC address pool. You can find more information about the use of MAC addresses pools from the following location: http://technet.microsoft.com/en-us/library/gg610632.aspx.
Summary
We hope these overview steps gave you an idea of how to configure virtual networks. In the upcoming blogs, we will talk about each of the components in turn, providing more detail around key design decisions and the implications of those decisions.
-Nigel Cain & Damian Flynn