New in Hyper-V Windows Server 2008 R2 Part 2 – MAC Spoofing

John Howard - Hyper-V and virtualization blog : bNew/b in Hyper-V b…/b « Windows 7 Live Info

Thu, 21 May 2009 23:03:42 GMT

PingBack from http://windows7live.info/?p=10657

re: New in Hyper-V Windows Server 2008 R2 Part 2 – MAC Spoofing

Joay — Fri, 22 May 2009 17:05:11 GMT

Under what scenario would you choose "Less secure'?

re: New in Hyper-V Windows Server 2008 R2 Part 2 – MAC Spoofing

jhoward — Fri, 22 May 2009 19:32:50 GMT

Joay - for example if the application running in a VM needs to send packets out with a source MAC other than the configured MAC address for the VM - Network Load Balancing (NLB) does this.

Thanks,

John.

New in Hyper-V Windows Server 2008 R2 Part 2 – MAC Spoofing

News — Sun, 24 May 2009 17:52:17 GMT

Our Virtual Switch got smarter in Windows Server 2008 R2. In Windows Server 2008, VMs are susceptible

re: New in Hyper-V Windows Server 2008 R2 Part 2 – MAC Spoofing

Jason — Mon, 08 Jun 2009 05:04:04 GMT

I think you have a typo above...

"When the checkbox is not checked (i.e. the port is in “secure” mode):

..."

"When the checkbox is not checked (i.e. the port is in “less secure” mode):

..."

re: New in Hyper-V Windows Server 2008 R2 Part 2 – MAC Spoofing

jhoward — Tue, 16 Jun 2009 00:43:12 GMT

Good spot - thanks Jason (and to others who mailed me direct). I've corrected the post.

Thanks,

John.

re: New in Hyper-V Windows Server 2008 R2 Part 2 – MAC Spoofing

Ultima Hosts — Wed, 11 Nov 2009 11:25:24 GMT

Any pointers on how to setup the virtual network when the switch will only accept the physical MAC address?

re: New in Hyper-V Windows Server 2008 R2 Part 2 – MAC Spoofing

madshark — Thu, 12 Nov 2009 14:06:38 GMT

Hi, what about spoofing IP addresses? It seems the virtual switch is not yet 'smart' enough for ACL's to be configured. In a hosted environment any customer's VM can steal the IP of another VM in the same subnet or even worse the gateway ...

... I would really like to here your comments on this issue. Yes I am talking about selling VM's as opposed to an internal environment so layer 2 security is essential.

re: New in Hyper-V Windows Server 2008 R2 Part 2 – MAC Spoofing

jhoward — Tue, 24 Nov 2009 15:16:47 GMT

Madshark - the Hyper-V virtual switch is a layer 2 switch in both 2008 and 2008 R2. As such, to enforce seperation at layer 3, there are a few options. One is to use seperate physical NICs (obviously somewhat limiting in terms of scalability). VLANs will also provide full separation. There are some software solutions out there from vendors such as fivenines too.

Thanks,

John.

re: New in Hyper-V Windows Server 2008 R2 Part 2 – MAC Spoofing

jhoward — Tue, 24 Nov 2009 15:23:00 GMT

Ultima Hosts - are you saying the *physical* switch port will only accept the physical MAC address? The virtual switch doesn't have a MAC address itself - VMNics (or the VNic in the parent partition if configured) have MAC addresses. If the physical switch port is ACL'd to only allow the MAC address of the physical NIC, you need to relax security on that switch port to allow all traffic for the VMNics (and optionally the parent vNIC) for traffic to be able to flow.

Thanks,

John.