Kevin Remde's IT Pro Weblog
IT Pro Resources
IT Pro Evangelist Blogs
It’s the weekend! Just in time for Part 20 of the “31 Days of our Favorite Things” series: the Hyper-V Extensible Virtual Switch!
What is a Virtual Switch?
In Hyper-V, as in other virtualization platforms, a virtual switch is rather like a physical networking switch in the sense that it is a connection point for virtual machines. You define this virtual connection point (a switch) that, when more than one virtual machine connect to it, and with the proper IP configuration, they can communicate with one another. TCP/IP traffic flows through the switch. And when supporting VMs that are doing production work, the virtual switch is also the conduit through which the virtual machines connect to the physical network.
What makes your virtual switch extensible?
Microsoft has created the new virtual switch in Hyper-V 3.0 (the one available in Windows Server 2012, or in the free Microsoft Hyper-V Server 2012) to allow for the adding of extensions that can monitor, operate upon, or even modify the network traffic as it passes through the switch. Traffic shaping, protection against malicious virtual machines, easier troubleshooting of issues, and even tenant isolation can be provided as a result.
Why is it good to be extensible instead of just replaceable?
Microsoft doesn’t just provide a way to replace the native virtual switch with 3rd-party switches. The goal was to add flexibility to the architecture that would allow more than one extension to be included in the same switch. For example, the Cisco Nexus 1000v provides “consistent, policy-based network capabilities to virtual machines across your data center”, and I can add their extension to my Hyper-V virtual switch as a forwarding extension. But on that same switch I also might want to packet inspection using products like sFlow by inMon. Or perhaps I want to filter and even drop un-wanted packets using a virtual firewall and antivirus like the one by 5nine’s Security Manager. Or how about filtering extensions to detect and prevent Denial-of-Service attacks.
How does it work?
Need I say more?
Okay. In a nutshell (because I assume that the readers of this article are more likely to be consumers of these products and capabilities rather than the developers of these extensions), the extensions are written as either NDIS filter drivers or WFP callout drivers, which are two public platforms for extending Windows networking functionality.
There are 4 general purposes extensions. Here is a quick chart showing off the types, their defined purpose, some examples, and how the extensibility is provided (information borrowed from The Hyper-V Virtual Switch Overview):
Network packet inspection
View network packets for virtual machine to virtual machine traffic per vSwitch. Cannot alter network packets.
sFlow, network monitoring
NDIS filter driver
Network packet filter
Create, filter, and modify network packets that are entering or leaving the vSwitch and in virtual machine to virtual machine traffic.
Provide forwarding extension per vSwitch, which bypasses default forwarding (maximum of one per vSwitch).
OpenFlow, Virtual Ethernet Port Aggregator (VEPA), proprietary network fabrics
Intrusion detection or firewall
Filter and modify TCP/IP packets, monitor or authorize connections, filter traffic that is protected by IPsec, and filter RPCs.
Virtual firewall, connection monitoring
WFP callout driver
Where do I get these extensions?
The Windows Server Catalog has a Hyper-V Switch Extensions section that will contain the released products. Currently there is only one product listed,
Additionally, you could always “Google it on Bing”, in order to discover other options currently in development, or being released by other vendors and perhaps not yet listed at our catalog site.
Read more here: The Hyper-V Virtual Switch Overview
So in summary, the Virtual Switch provided with Hyper-V in Windows Server 2012 and Hyper-V Server 2012 is extensible. Extensions can be purchased and added to provide rich network packet inspection, filtering, traffic shaping, firewalling, and intrusion detection.
Does this sound like something you might use? Have any questions? That’s what the comments are for.