Foundation for Hosting Service Provider Offers Windows Server 2012 Service Delivery & Automation Application Management Web Virtualization Applications Networking Remote Desktop Services Storage Management Availability Scalability Infrastructure Management Security Hardware Compute Storage (File/Block) Network.
Download ReportTranscript Foundation for Hosting Service Provider Offers Windows Server 2012 Service Delivery & Automation Application Management Web Virtualization Applications Networking Remote Desktop Services Storage Management Availability Scalability Infrastructure Management Security Hardware Compute Storage (File/Block) Network.
Foundation for Hosting Service Provider Offers Windows Server 2012 Service Delivery & Automation Application Management Web Virtualization Applications Networking Remote Desktop Services Storage Management Availability Scalability Infrastructure Management Security Hardware Compute Storage (File/Block) Network Designed for Hosting Service Providers to drive lower infrastructure TCO and deliver new business opportunities Network Virtualization Live Storage Migration & Shared Nothing Live Migration Disaster Recovery with Hyper-V Replica VM Scalability & Performance Granular Resource Metering Hyper-V Extensible Switch Web-Farm Scalability with IIS8 Storage Spaces Data De-Duplication RDS Improvements for Desktop Hosting Best-in-class management for hosting service provider clouds Physical, Virtual, and Cloud Management Multi-Hypervisor Support 6 Application and OS Management Provisioning with Service Templates Operations Automation Multi-tenancy Flexible Delegation with Control Monitoring Console & Customizable Dashboards Beyond Virtualization Windows Server 2012 offers a dynamic, multi-tenant infrastructure that goes beyond virtualization to provide maximum flexibility for delivering and connecting to cloud services. The Power of Many Servers, the Simplicity of One Every App, Any Cloud Windows Server 2012 offers excellent economics by integrating a highly available and easy to manage multi-server platform with breakthrough efficiency and ubiquitous automation. Windows Server 2012 is a broad, scalable and elastic server platform that gives you the flexibility to build and deploy applications and websites on-premises, in the cloud and in a hybrid environment, using a consistent set of tools and frameworks. Modern Workstyle, Enabled Windows Server 2012 empowers IT to provide users with flexible access to data and applications from virtually anywhere on any device with a rich user experience, while simplifying management and helping maintain security, control and compliance. Cloud Public Private Hybrid Flexibility Sales Finance R&D Challenges Today Full isolation between different workloads for different customers up to network layer isolation Requirements for granular metering for a variety of resources that are measured on a per-VM basis Cannot guarantee certain levels of allocation of shared resources, including virtual CPU, storage, and network resources Not easy to move VMs from customer’s corporate network to your cloud with minimum reconfiguration and without renumbering their IP addresses Windows Server 2012 Deliver a fully isolated, multi-tenant environment that includes tools to guarantee SLAs, enable billing, and support efficient service delivery Strong security and isolation for multi-tenancy Accurate, streamlined methods for measuring usage (billing) Easy migration of workloads without re-configuring IP addresses and simplified protected site-to-site connections Support predictable network performance between tenants with Quality of Service 13 Secure Isolation What is Hyper-V Extensible Switch: A Layer 2 virtual network switch that provides the foundation for handling network traffic between virtual machines on Hyper-V host By providing the built-in features below, the Hyper-V Extensible Switch provides a highly-secure and scalable network infrastructure for VM traffic Private virtual LAN (PVLAN) support Protection against ARP poisoning/spoofing Protection against DHCP snooping Virtual port access control lists (port ACLs) VLAN trunk mode support Hyper-V Extensible Switch supports third-party, extensible plug-ins that can provide enhanced networking and security capabilities 14 Secure Isolation PVLANs Virtual port ACLs ARP/ND DHCP Guarding Trunk mode to VMs 15 Multi-tenant virtual machine isolation through private virtual local area networks (PVLANs) ACL policies enable management tools to configure the isolation between multiple tenants running on the same infrastructure Protection against DHCP snooping and DHCP guard Protection from Address Resolution Protocol/Neighbor Discovery (ARP/ND) poisoning (spoofing) The capability to trunk traditional VLANs to virtual machines Secure Isolation PVLANs Virtual port ACLs ARP/ND DHCP Guarding Multi-tenant virtual machine isolation through private virtual local area networks (PVLANs) PVLAN mode Description Isolated Isolated ports cannot exchange packets with one another at layer 2. Promiscuous Promiscuous ports can exchange packets with any other port on the same primary VLAN ID. Community Community ports on the same VLAN ID can exchange packets with one another at layer 2. Trunk mode to VMs Isolated Community Promiscuous VM Switch VM Switch 16 Trunk mode port Secure Isolation Virtual port ACLs for network isolation and metering Virtual port ACLs ARP/ND One of the core capabilities of the new Hyper-V Extensible Switch ACL policies consist of Allow or Deny rules for connectivity between VM IP or MAC addresses Enable the DCMS (either System Center Virtual Machine Manager or other management tools) to configure the isolation between multiple tenants running on the same infrastructure Guarantee Layer 2 isolation (when needed) and Layer 2 connectivity (when appropriate). DHCP Guarding Trunk mode to VMs Port ACL options: 17 Allow a source or destination IPv4, IPv6, or MAC address. Deny a source or destination IPv4, IPv6, or MAC address. Meter a source or destination IPv4, IPv6, or MAC address. Secure Isolation ARP/ND spoofing protection Virtual port ACLs ARP/ND DHCP Guarding Trunk mode to VMs The Hyper-V Extensible Switch provides protection against a malicious virtual machine stealing IP addresses from other virtual machines by using ARP spoofing. DHCP guard protection An administrator can designate which Hyper-V Extensible Switch ports can have DHCP servers connected to them; DHCP server traffic from other Hyper-V Extensible Switch ports is dropped. Trunk mode to virtual machines Traffic from multiple VLANs can now be directed to a single network adapter in a virtual machine that previously could receive traffic from only one VLAN. 18 Secure Isolation WMI 19 Provides programmatically managed and extensible capabilities to connect virtual machines to the physical network Open platform to allow third-party vendors to provide plug-ins for additional functionality Unified management of plug-ins with PowerShell and WMI 10 CTL Root Partition Child Partition 10 CTL Hyper-V Virtual Switch callout VMBUS Secure Isolation 20 Extension Purpose Potential examples Extensibility component Network Packet Inspection Inspecting network packets, but not altering them sFlow and network monitoring NDIS filter driver Network Packet Filter Injecting, modifying, and dropping network packets Security NDIS filter driver Network Forwarding Third-party forwarding that bypasses default forwarding OpenFlow, Virtual Ethernet Port Aggregator (VEPA), and proprietary network fabrics NDIS filter driver Firewall/ Intrusion Detection Filtering and modifying TCP/IP packets, monitoring or authorizing connections, filtering IPsec-protected traffic, and filtering RPC Virtual firewall and connection monitoring WFP callout driver Hyper-V Extensible Switch Benefits Secure Isolation Extensions can provide enhanced networking, monitoring, and security capabilities Open platform to fuel plugins Core services are free Windows reliability/quality Unified management Easier to support 21 Allows plug-ins to sit in the virtual switch between all traffic, including virtual machine-to-virtual machine traffic. Core services are provided for extensions. Extensions experience a high level of reliability and quality from the Windows platform and Windows logo certification program. The management of extensions is integrated into the Windows management through Windows PowerShell cmdlets and WMI scripting. Unified tracing means that it is quicker and easier to diagnose issues when they arise. Less downtime increases availability of services. Resource Metering 22 Resource Metering Measure the amount of data center resources (compute, network, and storage) Keep track of resource usage over time and across the life cycle of the VM, even when it migrates between hosts Billing (Chargeback, Usage Reporting) Resource meters can be used to measure the incoming and outgoing network traffic on a per VM basis, or over an entire Hyper-V Extensible Switch Performance Counters Windows Server 2012 introduces a number of new performance counters for SMB2 file share usage, RDMA usage, network traffic and VM metrics 23 Resource Metering Metrics Average CPU use Average memory use Minimum memory use Maximum memory use Maximum disk allocation Incoming network traffic Outgoing network traffic A two-tenant environment built with Hyper-V in Windows Server 2012 Features 24 Use of resource pools Compatibility with all Hyper-V operations Capability of helping to ensure that data is unaffected by virtual machine movement Use of Network Metering Port active control lists (ACLs) Resource Metering Benefits of Resource Metering Basic model of Resource Metering for Hosting Service Providers Create virtual machines Enable Resource Metering for virtual machines 25 Wait until the end of the billing period Query Resource Metering report Bill the client Reset Resource Metering data It’s easier to track virtual machine use. You can use it to aggregate data for multiple virtual machines. You can use it to build chargeback solutions. It’s easier to obtain resource use data. Quality of Service (QoS) 26 QoS Service Provider Needs Guarantee level of SLA: Service providers need to guarantee certain levels of allocation of shared resources, including virtual CPU, storage, and network resources Protection from Resource Abuse: Resource abuse can result in degradation of service for other customers QoS with Windows Server 2012 Windows Server 2012 QoS feature allows you to set the bandwidth limits for a specific port, allowing each VM to get a guaranteed minimum bandwidth Key Enhancements 27 Supports bandwidth floor (as well as cap) Improves level of service based on type of traffic Can be configured manually or automated with scripts by using Windows PowerShell QoS Relative minimum bandwidth Strict minimum bandwidth Features Establishes a bandwidth floor Assigns specified bandwidth for each type of traffic Helps to ensure fair sharing when there’s congestion Can exceed quota when there’s no congestion Two mechanisms 28 Enhanced packet scheduler (software) Network adapter with DCB support (hardware) Strict does not allow oversubscription Relative Bandwidth is only available via PowerShell Bandwidth oversubscription QoS 29 T1 T2 T3 30% 4 4 2 40% 5 5 6 20% 0 3 2 10% 0.5 1 0 T1 T2 T3 30 VM Mobility 31 VM Mobility Network Virtualization and Cross-premises Connectivity IP Mobility: Move workloads without changing network configurations or reconfiguring physical networks. VPN Connectivity: Remote Access Service (RAS) establishes a VPN site-to-site connection, workloads that run inside a cloud-based data center become an extension of the enterprise network Live Migration Migrate VMs: Move several VMs at the same time with support for concurrent live migrations Storage Migration Move with zero downtime: Together with live migration, enables moving of VMs between hosts that are on different clusters that are not using the same storage device Shared Nothing Live Migration Shared-nothing: Provides the ability to move a virtual machine (VM) from one host to another, while running, without the need for the origin and destination servers to share a common storage 32 VM Mobility Secure Isolation Isolate network traffic from different business units or customers on a shared infrastructure without VLANs Flexible Migrations Move VMs as needed within your virtual infrastructure while preserving their virtual network assignments Seamless Integration Transparently integrate these private networks into a preexisting infrastructure on another site 33 VM Mobility Decouples tenants’ logical topologies from the data center’s physical topology by introducing a virtualization layer for the network. Network Virtualization Blue Network Orange Network Run multiple virtual networks on a physical network. Each virtual network acts as though it is running as a physical fabric. Virtualization Physical Network Top-of-Rack Switches Servers 34 Windows Server 2012 Offers numerous benefits with virtual machine placement functionality. Removes VLAN constraints. Eliminates hierarchical IP address assignment for virtual machines. VM Mobility Implemented by the Hyper-V Extensible Switch and the Hyper-V parent partition network stack. Creates separate address spaces for the tenants and provider through the following address spaces: The Customer Address (CA) space, which the tenants see The Provider Address (PA) space, which the cloud provider sees Network Virtualization Gateway: enables a network-virtualized tenant to communicate with other servers that have physical IP addresses. Considerations Requires the data center management software (DCMS) to configure the IP address mapping tables between the CA and PA address spaces for each network-virtualized tenant that is moved to the cloud. Once this is done, tenant VMs can be arbitrarily hosted on any physical host and communicate among themselves using their own IP addresses. 35 VM Mobility Contoso.com Sydney Branch Subnet 3 Contoso Public Cloud Subnet 1 Contoso.com Melbourne Branch Subnet 2 Subnet 4 Woodgrove Public Cloud Subnet 1 Internet Subnet 2 Woodgrove Perth Branch Subnet 3 Windows Server 2012 remote access site-to-site VPN servers DirectAccess VPN site-to-site tunnel Industry standard IKEv2-IPsec Router Client VPN site-to-site functionality in remote access: Cross-premises connectivity between enterprises and hosting service providers Connection to private subnets in hosted cloud networks Connectivity between geographically separate enterprise locations 36 Subnet 4 VM Mobility New and enhanced live migration features allow for faster, easier process Migrate several VMs at the same time Higher network bandwidths (up to 10 GB per second) supported Dynamic mobility of VMs: Combined with features such as network virtualization, VMs can be moved between different hosts on different network subnets 37 VM Mobility 1 New capability of Windows Server 2012 Enables storage to be moved with zero downtime Allows the administrator to move a VHD of a running VM to a different storage device, which provides great flexibility and control over the cloud environment 38 Together with live migration, also enables moving of VMs between hosts on different clusters using different storage devices 3 2 5 Source Device 4 Destination Device 1. Reads and writes go to VHD on source device 2. VHD is copied from source to destination device 3. After copying, all write operations are mirrored to source and destination 4. After source and destination storage are synchronized, VM’s VHD access is transferred to VHD on destination device 5. VHD from source device is deleted VM Mobility ❶ Disk reads and writes go to the source virtual hard disk ❷ Disk contents are copied over the network to the new destination virtual hard disk ❸ Disk writes are mirrored to both the source and destination virtual hard disks while outstanding disk changes are replicated ❹ Virtual machine live migration is initiated, following the same process that was used for live migration with shared storage. 39 After the live migration is complete and the virtual machine is successfully running on the destination server, the files on the source server are deleted. After the virtual machine’s storage is migrated, the virtual machine migrates while it continues to run and provide network services. 40 Multiple business units on shared infrastructure Multiple customers on shared infrastructure Multi-Tenant Datacenter Finance Sales Contoso Bank Woodgrove Bank Limited workload mobility Resource utilization Operational inefficiency Scalable multi-tenancy Onboarding • Physical location determines network address • IP address topology limits VM placement • Consolidate workloads to efficiently use CPU, storage, network • Limited VM placement leads to infrastructure overprovisioning • Deploying VMs requires tight cooperation of server/network admins • Coordinating teams increases complexity and reduces agility • VLANs not suited for dynamic cloud topologies • Reconfiguration of production switches increases risk • VM IP addresses are entangled with security and access policies • Requiring IP address changes reduces cloud adoption Ideal: Workloads placed anywhere and can dynamically grow and shrink without being constrained by the network Aggregation Switches VLAN tags ToR ToR VMs Topology limits VM placement and requires reconfiguration of production switches Blue VM Blue Network Red VM Virtualization Physical Server Physical Network Red Network Workload Owners • Seamless migration to the cloud • Move n-tier topology to the cloud • Preserve policies, VM settings, IP addresses Enterprises • Private Cloud datacenter consolidation and efficiencies • Extension of datacenter into hybrid cloud • Incremental integration of acquired company network infrastructure Hosters • Bring Your own IP • Bring Your network topology • Scalable multitenancy Private/Public Cloud Datacenter Admins • Flexible VM placement without reconfiguration • Decoupling of server and network admin roles increases agility Multi-Tenant Datacenter Blue Corp Customer’s VM Network Blue R&D Net Blue Subnet1 Virtual Subnet Blue Subnet2 Blue Subnet3 Red Corp Blue Sales Net Red HR Net Blue Subnet5 Red Subnet2 Blue Subnet4 Red Subnet1 Provider Address Space (PA) Blue Corp Red Corp System Center Blue 10.0.0.5 10.0.0.7 Red 10.0.0.5 10.0.0.7 Datacenter Network Virtualization Policy 10.0.0.5 10.0.0.7 10.0.0.5 10.0.0.7 Blue 192.168.4.11 192.168.4.22 192.168.4.11 Red 192.168.4.11 192.168.4.22 192.168.4.22 Host 1 Host 2 Blue 10.0.0.5 192.168.4.11 10.0.0.7 192.168.4.22 Blue 10.0.0.5 192.168.4.11 10.0.0.7 192.168.4.22 Red 10.0.0.5 192.168.4.11 10.0.0.7 192.168.4.22 Red 10.0.0.5 192.168.4.11 10.0.0.7 192.168.4.22 Blue 1 10.0.0.5 Red1 Blue 10.0.0.5 10.0.0.7 2 Customer Address Space (CA) Red2 10.0.0.7 192.168.2.22 GRE Key 192.168.5.55 5001 MAC 10.0.0.5 10.0.0.7 192.168.2.22 GRE Key 192.168.5.55 6001 MAC 10.0.0.5 10.0.0.7 192.168.2.22 10.0.0.5 10.0.0.5 10.0.0.7 10.0.0.5 10.0.0.5 10.0.0.7 192.168.5.55 10.0.0.7 10.0.0.5 10.0.0.7 10.0.0.7 10.0.0.5 10.0.0.7 VM1 Windows Server 2012 Management Live Migration Cluster Storage Host Network Stack NIC CA1 VM1 CA1 Hyper-V Switch VSID ACL Isolation Switch Extensions Network IPVirtualization Virtualization Policy Enforcement Routing NIC PA1 System Center Host Agent System Center Data Center Policy Blue • • • • Red • • • • VM1: MAC1, CA1, PA1 VM2: MAC2, CA2, PA3 VM3: MAC3, CA3, PA5 … VM1: MACX, CA1, PA2 VM2: MACY, CA2, PA4 VM3: MACZ, CA3, PA6 … 10.0.0.5 Blue1 VSID 5001 10.0.0.5 Red1 10.0.0.7 10.0.0.7 Blue2 VSID 5001 VSID 6001 Hyper-V Switch Red2 VSID 6001 VSID ACL Enforcement Network Virtualization IP Virtualization Policy Enforcement Routing 192.168.4.11 NIC Blue1 learns MAC of Blue2 MACPA1 Use MACB2 for 10.0.0.7 where is 10.0.0.7 ? ARP for 10.0.0.7 Blue2 responds to ARP for IP 10.0.0.7 on VSID 5001 with Blue2 MAC Hyper-V Switch broadcasts ARP to: 1. All local VMs on VSID 5001 2. Network Virtualization filter 10.0.0.5 Blue1 VSID 5001 10.0.0.5 Red1 10.0.0.7 10.0.0.7 Blue2 VSID 5001 VSID 6001 Hyper-V Switch Red2 VSID 6001 VSID ACL Enforcement sent from Blue1 MACB1MACB2 in Hyper-V switch OOB: VSID:5001 MACB1MACB2 Network Virtualization IP Virtualization Policy Enforcement Routing 192.168.4.11 NIC MACPA1 10.0.0.5 10.0.0.7 10.0.0.5 10.0.0.7 10.0.0.5 Blue1 VSID 5001 10.0.0.5 Red1 10.0.0.7 10.0.0.7 Blue2 VSID 5001 VSID 6001 Hyper-V Switch Red2 VSID 6001 VSID ACL Enforcement received by Blue2 MACB1MACB2 in Hyper-V switch OOB: VSID:5001 MACB1MACB2 Network Virtualization IP Virtualization Policy Enforcement Routing 192.168.4.11 NIC MACPA1 10.0.0.5 10.0.0.7 10.0.0.5 10.0.0.7 10.0.0.5 Blue1 where is 10.0.0.7 ? 10.0.0.5 ARP for 10.0.0.7 Red1 VSID 5001 Hyper-V Switch VSID ACL Enforcement ARP for 10.0.0.7 Network Virtualization filter responds to ARP for IP 10.0.0.7 on VSID 5001 with Blue2 MAC VSID 6001 Hyper-V Switch VSID ACL Enforcement Network Virtualization IP Virtualization Policy Enforcement Routing 192.168.4.22 192.168.4.11 NIC Red2 VSID 5001 OOB: VSID:5001 Network Virtualization IP Virtualization Policy Enforcement Routing 10.0.0.7 Blue2 Hyper-V Switch broadcasts ARP to: 1. All local VMs on VSID 5001 2. Network Virtualization filter VSID 6001 10.0.0.7 MACPA1 MACPA2 NIC 10.0.0.5 Blue1 10.0.0.5 Red1 VSID 5001 Blue1 learns MAC of Blue2 Use MACB2 for 10.0.0.7 10.0.0.7 Blue2 Red2 VSID 5001 VSID 6001 Hyper-V Switch Use MACB2 for 10.0.0.7 Network Virtualization IP Virtualization Policy Enforcement Routing VSID 6001 Hyper-V Switch OOB: VSID:5001 VSID ACL Enforcement VSID ACL Enforcement Network Virtualization IP Virtualization Policy Enforcement Routing 192.168.4.22 192.168.4.11 NIC 10.0.0.7 MACPA1 MACPA2 NIC 10.0.0.5 10.0.0.5 Blue1 Red1 VSID 5001 sent from Blue1 MACB1MACB2 VSID 6001 10.0.0.5 10.0.0.7 in Hyper-V switch Hyper-V Switch 10.0.0.7 Blue2 Network Virtualization IP Virtualization Policy Enforcement Routing MACB1MACB2 10.0.0.5 10.0.0.7 in Network Virtualization filter OOB: VSID:5001 MACB1MACB2 10.0.0.5 10.0.0.7 VSID 6001 Hyper-V Switch VSID ACL Enforcement Network Virtualization IP Virtualization Policy Enforcement Routing 192.168.4.22 192.168.4.11 NIC Red2 VSID 5001 OOB: VSID:5001 VSID ACL Enforcement 10.0.0.7 MACPA2 MACPA1 NIC NVGRE on the wire MACPA1 MACPA2 192.168.4.11 192.168.4.22 5001 MACB1MACB2 10.0.0.5 10.0.0.7 10.0.0.5 10.0.0.5 Blue1 Red1 VSID 5001 VSID 6001 10.0.0.7 received by Blue2 MACB1MACB2 10.0.0.5 10.0.0.7 Blue2 Network Virtualization IP Virtualization Policy Enforcement Routing MACB1MACB2 10.0.0.5 10.0.0.7 VSID ACL Enforcement in Network Virtualization filter OOB: VSID:5001 MACB1MACB2 VSID 6001 Hyper-V Switch OOB: VSID:5001 VSID ACL Enforcement Red2 VSID 5001 in Hyper-V switch Hyper-V Switch 10.0.0.7 10.0.0.5 10.0.0.7 Network Virtualization IP Virtualization Policy Enforcement Routing 192.168.4.22 192.168.4.11 NIC MACPA2 MACPA1 NIC NVGRE on the wire MACPA1 MACPA2 192.168.4.11 192.168.4.22 5001 MACB1MACB2 10.0.0.5 10.0.0.7 10.0.0.5 Blue1 VSID 5001 10.0.0.5 Red1 10.0.1.7 10.0.0.7 Blue2 VSID 5222 VSID 6001 Hyper-V Switch VSID 6001 Hyper-V Switch broadcasts ARP to: 1. All local VMs on VSID 5001 2. Network Virtualization filter OOB: VSID:5001 ARP for 10.0.0.1 MACDGW 192.168.4.11 NIC ARP for 10.0.0.1 (default gateway) Red2 VSID ACL Enforcement Network Virtualization IP Virtualization Policy Enforcement Routing where is 10.0.1.7 ? MACPA1 Network Virtualization filter responds to ARP with its own MAC address, MACDGW Note: MACDGW is not exposed to the physical network Network Virtualization filter (10.0.0.1) does not respond to ping 10.0.0.5 Blue1 VSID 5001 10.0.0.5 Red1 10.0.1.7 10.0.0.7 Blue2 VSID 5222 VSID 6001 Hyper-V Switch Red2 Blue1 learns MAC of Default Gateway Default Gateway at MACDGW VSID 6001 OOB: VSID:5001 VSID ACL Enforcement Use MACDGW for 10.0.0.1 Network Virtualization IP Virtualization Policy Enforcement Routing MACDGW 192.168.4.11 NIC MACPA1 10.0.0.5 Blue1 VSID 5001 10.0.0.5 Red1 10.0.1.7 10.0.0.7 Blue2 VSID 5222 VSID 6001 Hyper-V Switch Red2 VSID 6001 10.0.0.5 10.0.1.7 in Hyper-V switch MACB1MACDGW 10.0.0.5 10.0.1.7 in Network Virtualization filter MACDGW 192.168.4.11 NIC MACB1MACDGW OOB: VSID:5001 VSID ACL Enforcement Network Virtualization IP Virtualization Policy Enforcement Routing sent from Blue1 MACPA1 OOB: VSID:5001 MACB1MACDGW 10.0.0.5 10.0.1.7 10.0.0.5 Blue1 VSID 5001 10.0.0.5 Red1 10.0.1.7 10.0.0.7 Blue2 VSID 5222 VSID 6001 Hyper-V Switch Red2 VSID 6001 10.0.0.5 10.0.1.7 in Hyper-V switch MACB1MACB2 10.0.0.5 10.0.1.7 in Network Virtualization filter MACDGW 192.168.4.11 NIC MACB1MACB2 OOB: VSID:5222 VSID ACL Enforcement Network Virtualization IP Virtualization Policy Enforcement Routing received by Blue2 MACPA1 OOB: VSID:5222 MACB1MACB2 10.0.0.5 10.0.1.7 10.0.0.5 Blue1 10.0.0.5 where is 10.0.1.7 ? ARP for 10.0.0.1 (default gateway) Red1 VSID 5001 Hyper-V Switch VSID ACL Enforcement ARP for 10.0.0.1 Network Virtualization filter responds to ARP with MACDGW VSID 6001 Hyper-V Switch VSID ACL Enforcement Network Virtualization IP Virtualization Policy Enforcement Routing 192.168.4.22 192.168.4.11 NIC Red2 VSID 5222 OOB: VSID:5001 Network Virtualization IP Virtualization Policy Enforcement MACDGW Routing 10.0.0.7 Blue2 Hyper-V Switch broadcasts ARP to: 1. All local VMs on VSID 5001 2. Network Virtualization filter VSID 6001 10.0.1.7 MACPA1 MACPA2 NIC 10.0.0.5 Blue1 10.0.0.5 Red1 VSID 5001 Blue1 learns MAC of Default Gateway Default Gateway at MACDGW 10.0.1.7 Blue2 Red2 VSID 5222 VSID 6001 Hyper-V Switch Use MACDGW for 10.0.0.1 Network Virtualization IP Virtualization Policy Enforcement MACDGW Routing VSID 6001 Hyper-V Switch OOB: VSID:5001 VSID ACL Enforcement VSID ACL Enforcement Network Virtualization IP Virtualization Policy Enforcement Routing 192.168.4.22 192.168.4.11 NIC 10.0.0.7 MACPA1 MACPA2 NIC 10.0.0.5 10.0.0.5 Blue1 Red1 VSID 5001 sent from Blue1 MACB1MACDGW VSID 6001 10.0.0.5 10.0.1.7 in Hyper-V switch Hyper-V Switch 10.0.1.7 Blue2 Network Virtualization IP Virtualization Policy Enforcement MACDGW Routing MACB1MACDGW 10.0.0.5 10.0.1.7 in Network Virtualization filter OOB: VSID:5001 MACB1MACDGW 10.0.0.5 10.0.1.7 VSID 6001 Hyper-V Switch VSID ACL Enforcement Network Virtualization IP Virtualization Policy Enforcement Routing 192.168.4.22 192.168.4.11 NIC Red2 VSID 5222 OOB: VSID:5001 VSID ACL Enforcement 10.0.0.7 MACPA2 MACPA1 NIC NVGRE on the wire MACPA1 MACPA2 192.168.4.11 192.168.4.22 5222 MACB1MACB2 10.0.0.5 10.0.1.7 10.0.0.5 10.0.0.5 Blue1 Red1 VSID 5001 VSID 6001 10.0.1.7 received by Blue2 MACB1MACB2 10.0.0.5 10.0.1.7 Blue2 Network Virtualization IP Virtualization Policy Enforcement MACDGW Routing MACB1MACB2 10.0.0.5 10.0.1.7 VSID ACL Enforcement in Network Virtualization filter OOB: VSID:5222 MACB1MACB2 VSID 6001 Hyper-V Switch OOB: VSID:5222 VSID ACL Enforcement Red2 VSID 5222 in Hyper-V switch Hyper-V Switch 10.0.0.7 10.0.0.5 10.0.1.7 Network Virtualization IP Virtualization Policy Enforcement Routing 192.168.4.22 192.168.4.11 NIC MACPA2 MACPA1 NIC NVGRE on the wire MACPA1 MACPA2 192.168.4.11 192.168.4.22 5222 MACB1MACB2 10.0.0.5 10.0.1.7 Multi-Tenant Datacenter Blue R&D Net Blue Subnet1 Red HR Net Red Subnet2 Non-Virtualized Resources Hyper-V Network Virtualization Gateway S2S VPN Blue Subnet2 Blue Subnet3 Red Subnet1 S2S VPN Remote Cloud subnet 10.229.15 subnet 10.229.16 subnet 10.229.17 subnet 10.229.1 DC SQL CorpNet DNS Hyper-V Network Virtualization Gateway R1 B1 Host1 B2 B3 R2 Host2 Y1 Y2 R3 Host3 Consolidated Datacenter Hyper-V Network Virtualization 10.60.x R4 Customer Address DC 192.168.10/24 Lyn Exchang SQL c e VM/VOIP Network Datacenter Fabric Datacenter Mgmt Host OS Cross Subnet Live Migration 192.168.1.10 Infrastructure DC & SMB 192.168.1.13 Virtual Switch Net Virtualization Physical Router 10.10.1.1 10.10.1.2 Virtual Switch Host OS 10.10.0.1 Net Virtualization 192.168.1.11 Hyper-V Network Host OS Virtualization 192.168.1.12 Gateway Virtual Switch 192.168.11.X PSTN Customer Address 192.168.50/24 VM 10.10.0.2 Router 192.168.50.2 Customer Address 192.168.50/24 Provider Address 10.10.0.0/16 Virtual Switch Net Virtualization 10.10.0.3 S2S VPN Blue Corp DNS SQL DC Red Corp S2S VPN S2S VPN Hyper-V Network Virtualization Gateway Web1 R2 Web3 Host Web2 R1 Host Hoster Datacenter Network Virtualization Fabric F5Demo Corporate Network 192.168.1.0/24 Office 365 SharePoint Online Exchange Online Lync Online Cloud Provider 192.168.1.0/24 F5Agility Corporate Network 192.168.1.0/24 Limited workload mobility • Deploy VMs anywhere in the datacenter Resource utilization • Cross subnet live migration allows you to locate VMs to better utilize datacenter resources Operational inefficiency • Server admins can deploy VMs decoupled from network admins managing traffic Scalable multi-tenancy • Multi-tenant isolation without need for (but compatible with) VLANs Onboarding • Customers keep their IP address and their network topologies Agility Simplicity Scalability Agility Simplicity Scalability Register your interest with [email protected] http://social.technet.microsoft.com/wiki/contents/articles/11524.windows-server-2012-hyper-vnetwork-virtualization-survival-guide.aspx http://technet.microsoft.com/en-us/library/jj134230.aspx http://blogs.technet.com/b/windowsserver/archive/2012/04/16/introducing-windows-server-8hyper-v-network-virtualization-enabling-rapid-migration-and-workload-isolation-in-thecloud.aspx http://gallery.technet.microsoft.com/scriptcenter/Simple-Hyper-V-Network-d3efb3b8 http://gallery.technet.microsoft.com/scriptcenter/Simple-Hyper-V-Network-6928e91b