Wednesday, October 8, 2014

Virtual Switch in Hyper-V


Before we begin with the nitty-gritties of Virtual Switch, let us try to answer some basic questions.

What is a Virtual Switch?

Virtual Switch is a counterpart of physical Ethernet switch for the virtualized environment. It not only simply forwards the packet to other virtual machines but also intelligently inspects the packet before forwarding them. Each Virtualization platform provides different set of properties to their Virtual Switches. Before we delve further into Virtual Switches, let us understand another essence of this blog HYPER-V.

What is Hyper-V?

Each virtualized network requires a hypervisor as a platform for creation and configurations of virtual machines and their resources. Hyper-V is Windows hypervisor-based virtualization technology which provides software infrastructure and basic management tools. It provides the isolation of a physical machine into child partitions and allocates them to different guest operating systems. Also, provides required hardware and software resources for each guest operating system.

What is Virtual-Switch in Hyper-V?

Now that we have our basics in place, let us dive deep! I will try explaining Virtual Switch by considering the following:

  1. Features supported in Virtual Switch

  1. How Virtual Switch in Hyper-V different from Other Switches?

  1. Different use cases for Hyper-V Virtual Switch.

  1. What are all the available alternatives for Virtual Switches?

Starting off with the first discussion point, let us have a look on the features supported in Virtual Switch:

  1. Port ACLs - Provides traffic filtering based on Media Access Control (MAC) or Internet Protocol (IP) addresses/ranges, which enables you to set up virtual network isolation.

  1. Network traffic monitoring - Enables administrators to review traffic that is traversing the network switch.

  1. Isolated (private) VLAN - Enables administrators to segregate traffic on multiple vlans, to more easily establish isolated tenant communities.
  1. Trunk mode to a VM - Enables administrators to set up a specific VM as a virtual appliance, and then direct traffic from various VLANs to that VM.

  1. DHCP Guard protection - Protects against a malicious VM representing itself as a Dynamic Host Configuration Protocol (DHCP) server for man-in-the-middle attacks.
  1. ARP/ND Poisoning (spoofing) protection - Provides protection against a malicious VM using Address Resolution Protocol (ARP) spoofing to steal IP addresses from other VMs. Provides protection against attacks that can be launched for IPv6 using Neighbor Discovery (ND) spoofing.


So, what makes Hyper-V’s Virtual Switch different from other, its Extensibility. A Hyper-V Virtual Switch supports Vendor specific extensible plug-ins (also known as Virtual Switch Extensions). These Virtual Switch extensions provide enhanced networking and security policies. Hyper-V provides three types of Virtual Switch extensions-

  1. Capturing Extension - Using this extension, Virtual Switch can capture packets and generate their own packets.

  1. Filtering Extension - Using this extension, Virtual Switch can inspect, drop (traffic policing and filtering) or delay (traffic shaping) packets, as well as generate own packets.

  1. Forwarding Extension - Using this extension, Virtual Switch along with all the above operations provides an extra operation of replacing the default forwarding rules (specify their own set of output ports). Each packet can be set to one or more output ports to implement flooding, multicast or SPAN like behaviour.
Below figure depicts the flow of packet from Hyper-V Virtual Switch-

Source - Reference 4



Some vendors who applied this extensibility to enhance Virtual Switch and integrated it to their products:

  1. NEC- VSEM Provider that converts Hyper-V to an OpenFlow virtual switch and integrates it with NEC’s PFlow Solution.

  1. Cisco - VM-FEX extension with direct I/O (SR-IOV) with Nexus 1000V for Hyper-V.

  1. Inmon - Extension for Traffic capturing and analysis with sFlow.

  1. 5Nine - Virtual Firewall extension.

  1. Broadcom - DoS Prevention extension that emulates the functionality provided in OEM switch platform.


Apart from Hyper-V’s Virtual Switch there other switches available which has their own capabilities and features. Some of them are written here:

  1. VMware’s Virtual Switch: vSphere platform supports vSphere Standard Switch and vSphere Distributed Switch which provides networking in VMware Infrastructure (ESX).

  1. Open vSwich: OVS is an Open source switch runs on OpenFlow Protocol. The basic features supported in OVS are flows, VLANS, trunking, and port aggregation.
  1. KVM Virtual Switches

 References-
1. http://blogs.technet.com/b/networking/archive/2013/07/31/hyper-v-extensible-switch-enhancements-in-windows-server-2012-r2.aspx
2. http://technet.microsoft.com/library/hh831410
3. http://msdn.microsoft.com/en-us/library/windows/hardware/hh582268(v=vs.85).aspx#types_of_extensible_switch_extensions
4. http://blogs.technet.com/b/networking/archive/2013/07/31/what-s-new-in-hyper-v-network-virtualization-in-r2.aspx
5. http://channel9.msdn.com/posts/Hyper-V-Extensible-Switch-Part-I--Introduction


Posted by at
Labels: ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)