Hyper-V Virtual Switch Overview

Updated: February 29, 2012

Applies To: Windows Server 2012

The Hyper-V virtual switch (vSwitch) in Windows Server 2012 introduces a number of capabilities that are requested by customers for tenant isolation, traffic shaping, protection against malicious virtual machines, and easier troubleshooting of issues. This guide focuses on the improvements in open extensibility and manageability for non-Microsoft extensions. Non-Microsoft extensions can be written to emulate the full capabilities of hardware-based switches and support more complex virtual environments and solutions.

The Hyper-V vSwitch is a layer 2 virtual network switch that provides programmatically managed and extensible capabilities to connect virtual machines to the physical network. vSwitch provides policy enforcement for security, isolation, and service levels. With support for Network Device Interface Specification (NDIS) filter drivers and Windows Filtering Platform (WFP) callout drivers, the Hyper-V vSwitch allows for non-Microsoft extensible plug-ins that can provide enhanced networking and security capabilities.

The Hyper-V vSwitch enables you to implement and manage virtualized data centers by providing the following:

  • Open platform. The vSwitch is built on an open platform that allows independent software vendors to add or extend the capabilities provided natively in the vSwitch. The capabilities of the vSwitch function with the added capabilities of extensions.

  • Standard API. The programming model for the extensible switch uses the same application programming interface (API) that is used for network filters and drivers in previous versions of Windows; that is, NDIS and WFP. There are new APIs and parameters added for virtual switch ports.

  • Windows reliability and quality. The Windows platform and Windows Hardware Quality Logo (WHQL) program set high standards for extension quality.

  • Policy and configuration integration. The management of extensions is integrated into the Windows management through Windows Management Instrumentation (WMI) calls and Windows PowerShell cmdlets, providing a standard management approach. Policies of extensions are automatically migrated with the virtual machine configuration during live migration.

  • Easy to troubleshoot. Event logs and unified tracing are included with the vSwitch, which makes it easier to diagnose and troubleshoot issues when they occur.

Requirements

Hyper-V vSwitch extensibility is built into the Hyper-V role, and it requires Windows Server 2012.

Technical overview

vSwitch extensibility provides ways to extend the virtual switch for independent software vendors to add monitoring, filtering, and forwarding functionality without replacing all of the vSwitch functionality. Extensions are implemented by using NDIS filter drivers and WFP callout drivers, which are two public platforms for extending Windows networking functionality.

  • NDIS filter drivers

    An NDIS filter driver is a filtering service to monitor or modify network packets in Windows. NDIS filters were introduced with the NDIS 6.0 specification.

  • WFP callout drivers

    WFP, introduced in Windows Vista and Windows Server 2008, allows independent software vendors (ISVs) to create WFP callout drivers that filter and modify TCP/IP packets, monitor or authorize connections, filter traffic protected by Internet Protocol security (IPsec), and filter remote procedure calls (RPCs). Filtering and modifying TCP/IP packets provides unprecedented access to the TCP/IP packet processing path. In this path, you can examine or modify outgoing and incoming packets before additional processing occurs. By accessing the TCP/IP processing path at different layers, you can more easily create firewalls, antivirus software, diagnostic software, and other types of applications and services. For more information, see Windows Filtering Platform.

Extensions can extend or replace three aspects of the switching process: ingress filtering, destination look-up and forwarding, and egress filtering. In addition, extensions can gather statistical data by monitoring traffic at different layers of the vSwitch. Multiple monitoring and filtering extensions can be supported at the ingress and egress portions of the vSwitch. If you use a forwarding extension, only one instance of the extension can be used per switch instance, in which case it overrides the default forwarding of the vSwitch.

The following table shows the types of extensions, their purpose, examples, and how to implement them.

Extension

Purpose

Examples

Extensibility Component

Network packet inspection

View network packets for virtual machine to virtual machine traffic per vSwitch. Cannot alter network packets.

sFlow, network monitoring

NDIS filter driver

Network packet filter

Create, filter, and modify network packets that are entering or leaving the vSwitch and in virtual machine to virtual machine traffic.

Security

NDIS filter driver

Network forwarding

Provide forwarding extension per vSwitch, which bypasses default forwarding (maximum of one per vSwitch).

OpenFlow, Virtual Ethernet Port Aggregator (VEPA), proprietary network fabrics

NDIS filter driver

Intrusion detection or firewall

Filter and modify TCP/IP packets, monitor or authorize connections, filter traffic that is protected by IPsec, and filter RPCs.

Virtual firewall, connection monitoring

WFP callout driver

The vSwitch includes the following attributes, which provide an open switch API that enables enhanced switch and management products to work with Hyper-V:

  • Extensible: You can add new features and enhancements while retaining the native feature set.

  • Standard API: You can build extensions on NDIS and the WFP, which are publicly available platforms that are familiar to Windows developers.

  • Live migration support: You can use extensions in Hyper-V live migration.

  • Easy troubleshooting: Support is provided for unified tracing for the vSwitch and its extensions.

Figure 1 shows the architecture of the vSwitch and the extensibility model.

Figure 1 Architecture of vSwitch

Figure 1   vSwitch architecture and extensibility

Manageability

With the Hyper-V vSwitch playing a similar role for virtual machines that physical network switches provide for physical devices, it is important that you can easily manage, troubleshoot and resolve network issues. To accomplish this, Windows Server 2012 provides the following:

  • Windows PowerShell and scripting support

Windows Server 2012 provides Windows PowerShell cmdlets for the vSwitch that you can use to build command-line tools or enable automation of scripts for setup, configuration, monitoring, and troubleshooting. Windows PowerShell also enables non-Microsoft developers to build tools to manage the virtual switch.

  • Unified Tracing and enhanced diagnostics

Unified Tracing has been extended into the vSwitch to provide two levels of troubleshooting. At the first level, Event Tracing for Windows (ETW) enables tracing of packet events through the vSwitch and extensions, making it easier to isolate where an issue is occurring. The second level allows capturing packets for a full trace of events and traffic packets.

Reliability and extension management

The Hyper-V vSwitch is an open platform that enables multiple vendors to provide extensions that are written to standard Windows API frameworks. The reliability of extensions is strengthened through the Windows standard framework and the reduction of non-Microsoft code required for functions, and the reliability is backed by the WHQL certification program. The vSwitch and its extensions are managed by using Windows PowerShell cmdlets, WMI calls, or the Hyper-V Manager user interface.