What's New in Hyper-V Virtual Switch in Windows Server 2012 R2

 

Applies To: Windows Server 2012 R2

This topic provides information about the new features for the Hyper-V Virtual Switch in Windows Server® 2012 R2.

This topic contains the following sections.

Hyper-V Virtual Switch Extended Port ACLs

Enterprises and Cloud Service Providers (CSPs) can configure the Hyper-V Virtual Switch Extended Port Access Control Lists (ACLs) to provide firewall protection and enforce security policies for the tenant VMs in their datacenters. Because the port ACLs are configured on the Hyper-V Virtual Switch rather than within the VMs, you can manage security policies for all tenants in a multitenant environment.

Following are the new features for extended port ACLs:

  • ACLs now include the socket port number. In Windows Server 2012, you were able to specify both source and destination MAC and IP addresses for IPv4 and IPv6. For Windows Server 2012 R2 you can also specify the port number when you create rules.

  • You can now configure stateful rules that are unidirectional and provide a timeout parameter. With a stateful firewall rule, traffic is allowed, and two traffic flows are created dynamically. The two traffic flows are one outbound rule that matches five attributes in outbound packets, and one inbound rule that also match the same five attributes. After a stateful rule is utilized successfully one time, the two traffic flows are allowed without having to be looked up against the rule again for a period of time that you designate using the timeout attribute. When the firewall rule exceeds the timeout attribute, traffic flows are inspected against rules again.

In addition, extended port ACLs provide the following benefits:

  • In multitenant environments, you can protect datacenter resources and provide security policy enforcement for your tenants.

  • Compatibility with Hyper-V Network Virtualization.

  • A management interface that allows you to easily configure firewall rules by using Windows PowerShell.

  • Logging and diagnostics capabilities so that you can confirm firewall operation and detect any possible misconfiguration of the port ACLs.

  • Configurable as a stateless firewall by filtering packets based on five attributes in the packet; with a stateless firewall configuration you can apply any firewall rule to either inbound or outbound network traffic, and the rule can either allow or deny traffic.

For more information, see the following topics.

Dynamic Load Balancing of Network Traffic

Windows Server® 2012 provided simultaneous load distribution and failover, but did not ensure load distribution between the NICs in a NIC team in a balanced manner.

In Windows Server® 2012 R2, dynamic load balancing continuously and automatically moves traffic streams from NIC to NIC within the NIC team to share the traffic load as equitably as possible.

For more information on NIC Teaming, see NIC Teaming Overview.

Hyper-V Network Virtualization coexists with third party forwarding extensions for the Hyper-V Virtual Switch

Forwarding Hyper-V Virtual Switch extensions that are installed on the Hyper-V Virtual Switch in a Hyper-V Network Virtualization (HNV) environment can now forward packets for either the VM customer address (CA) space or the physical address (PA) space, because switch extensions now coexist seamlessly with Network Virtualization, which uses Network Virtualization Generic Routing Encapsulation (NVGRE).

When you have a third party forwarding extension installed, Hyper-V Virtual Switch now performs hybrid forwarding. With hybrid forwarding, network traffic that is NVGRE encapsulated is forwarded by the HNV module within the switch, while all non-NVGRE network traffic is forwarded by the third party forwarding extensions that you have installed.

In addition to forwarding, a third party forwarding extension can still apply other policies, such as ACLs and QoS, to both the NVGRE and the non NVGRE-encapsulated traffic. The forwarding extension that you install must be able to process both types of network traffic based on their intended destinations. For example, PA address visibility is necessary for extensions that perform switch team load balancing.

The policies and capabilities of the Hyper-V Virtual Switch and third party extensions do not displace each other – instead, they are mutually available.

For more information about Hyper-V Network Virtualization, see Hyper-V Network Virtualization Overview.

Traffic bottlenecks to VMs are reduced with vRSS

In Windows Server 2012, Receive Side Scaling (RSS) over SR-IOV is supported; now in Windows Server 2012 R2, virtual RSS (vRSS) is supported on the VM network path, allowing VMs to sustain a greater networking traffic load.

In the past, VMs might have trouble achieving network throughput approaching 10Gbps due to the processing load on a single CPU core. vRSS alleviates this problem by spreading the processing across multiple cores on the host and multiple cores on the VM.

To take advantage of vRSS, VMs must be configured to use multiple cores, and they must support RSS. vRSS is enabled automatically when the VM uses RSS on the VM network path.

For more information about RSS, see Receive Side Scaling (RSS).

Network tracing is streamlined and provides more detail

Network traces now contain switch and port configuration information, and tracing packets through the Hyper-V Virtual Switch and any forwarding extensions you have installed are easier to use and read.

For information about Unified Tracing, see Unified Tracing Overview and Netsh Commands for Network Trace in the Windows Server 2012 and Windows Server 2012 R2 Technical Library.