Hyper-V Virtual Switch Overview
Updated: September 11, 2013
Applies To: Windows Server 2012 R2, Windows Server 2012, Windows 8
This topic describes Hyper-V Virtual Switch in Windows Server 2012. This topic also lists some practical uses for the Hyper-V virtual switch, hardware and software requirements, and provides links to additional information.
In addition to this topic, the following Hyper-V Virtual Switch documentation is also available.
The Hyper-V Virtual Switch is a software-based layer-2 Ethernet network switch that is available in Hyper-V Manager when you install the Hyper-V server role. The switch includes programmatically managed and extensible capabilities to connect virtual machines to both virtual networks and the physical network. In addition, Hyper-V Virtual Switch provides policy enforcement for security, isolation, and service levels.
Hyper-V Virtual Switch only supports Ethernet, and does not support any other wired local area network (LAN) technologies, such as Infiniband and Fibre Channel.
The Hyper-V Virtual Switch in Windows Server® 2012 introduces several new features and enhanced capabilities for tenant isolation, traffic shaping, protection against malicious virtual machines, and simplified troubleshooting.
With built-in support for Network Device Interface Specification (NDIS) filter drivers and Windows Filtering Platform (WFP) callout drivers, the Hyper-V Virtual Switch enables independent software vendors (ISVs) to create extensible plug-ins (known as Virtual Switch Extensions) that can provide enhanced networking and security capabilities. Virtual Switch Extensions that you add to the Hyper-V Virtual Switch are listed in the Virtual Switch Manager feature of Hyper-V Manager.
In the following illustration, a Virtual Machine (VM) has a virtual NIC that is connected to the Hyper-V Virtual Switch through a switch port.
The capabilities provided in the Hyper-V Virtual Switch mean that organizations have more options for enforcing tenant isolation, shaping and controlling network traffic, and employing protective measures against malicious virtual machines.
Displaying statistics: A developer at a hosted cloud vendor implements a management package that displays the current state of the Hyper-V virtual switch. The management package can query switch-wide current capabilities, configuration settings, and individual port network statistics using WMI. The status of the switch is then displayed to give administrators a quick view of the state of the switch.
Resource tracking: A hosting company is selling hosting services priced according to the level of membership. Various membership levels include different network performance levels. The administrator allocates resources to meet the SLAs in a manner that balances network availability. The administrator programmatically tracks information such as the current usage of bandwidth assigned, and the number of virtual machine (VM)—assigned virtual machine queue (VMQ) or IOV channels. The same program also periodically logs the resources in use in addition to the per-VM resources assigned for double entry tracking or resources.
Managing the order of switch extensions: An enterprise has installed extensions on their Hyper-V host to both monitor traffic and report intrusion detection. During maintenance, some extensions may be updated causing the order of extensions to change. A simple script program is run to reorder the extensions after updates.
Forwarding extension manages VLAN ID: A major switch company is building a forwarding extension that applies all policies for networking. One element that is managed is virtual local area network (VLAN) IDs. The virtual switch cedes control of the VLAN to a forwarding extension. The switch company’s installation programmatically call a Windows Management Instrumentation (WMI) application programming interface (API) that turns on the transparency, telling the Hyper-V Virtual Switch to pass and take no action on VLAN tags.
Some of the principal features that are included in the Hyper-V Virtual Switch are:
ARP/ND Poisoning (spoofing) protection: Provides protection against a malicious VM using Address Resolution Protocol (ARP) spoofing to steal IP addresses from other VMs. Provides protection against attacks that can be launched for IPv6 using Neighbor Discovery (ND) spoofing.
DHCP Guard protection: Protects against a malicious VM representing itself as a Dynamic Host Configuration Protocol (DHCP) server for man-in-the-middle attacks.
Port ACLs: Provides traffic filtering based on Media Access Control (MAC) or Internet Protocol (IP) addresses/ranges, which enables you to set up virtual network isolation.
Trunk mode to a VM: Enables administrators to set up a specific VM as a virtual appliance, and then direct traffic from various VLANs to that VM.
Network traffic monitoring: Enables administrators to review traffic that is traversing the network switch.
Isolated (private) VLAN: Enables administrators to segregate traffic on multiple vlans, to more easily establish isolated tenant communities.
Following is a list of capabilities that enhance Hyper-V Virtual Switch usability:
Bandwidth limit and burst support: Bandwidth minimum guarantees amount of bandwidth reserved. Bandwidth maximum caps the amount of bandwidth a VM can consume.
ECN marking support: Explicit Congestion Notification (ECN) marking—also known as Data CenterTCP (DCTCP)—enables the physical switch and operating system to regulate traffic flow such that the buffer resources of the switch are not flooded, which results in increased traffic throughput.
Diagnostics: Diagnostics allow easy tracing and monitoring of events and packets through the virtual switch.
The Hyper-V Virtual Switch features described in the previous—Important functionality—section of this topic enable administrators to configure security and isolation options, and monitor traffic in ways not previously provided. The extensible nature of the switch enables ISV to provide an additional layer of customization.
What value does this change add?
The recent increased utilization of virtualization has resulted in many hosting companies placing VMs for multiple clients on the same computer, increasing the need for isolation and protection. While Windows Server 2008 R2 does provide the default protection of MAC spoofing, server releases up through Windows Server 2008 R2 provide only minimal security protection for virtualized network traffic. In Windows Server® 2012, traffic that flows between VMs on the same physical host computer is more secure because of enhancements that protect against malicious virtual machines.
In Windows Server® 2012, the new Hyper-V Virtual Switch provides more security, including functionality that will allow customers to readily monitor and move traffic through the switch. Additionally, the Hyper-V Virtual Switch supports an interface in which ISVs can extend the switch functionality.
Hyper-V Virtual Switch requires a 64-bit processor that includes the following:
Product disk or files for Windows Server® 2012
Physical computer for hosting Windows Server® 2012
Hardware-assisted virtualization. This is available in processors that include a virtualization option—specifically processors with Intel Virtualization Technology (Intel VT) or AMD Virtualization (AMD-V) technology.
Hardware-enforced Data Execution Prevention (DEP) must be available and enabled. Specifically, you must enable Intel XD bit or AMD NX.
Following is a list of resources related to the Hyper-V virtual switch.
Understand and Troubleshoot Hyper-V Virtual Network Switch in Windows Server® 2012
Microsoft Server and Cloud Platform Blog: Windows Server 2012: Introducing Hyper-V Extensible Switch |
Virtual PC Guy's Blog: Hyper-V Extensible Switch in Windows Server 2012 |
Windows Lifestyle: Hyper-V Extensible Switch in Windows Server 2012
Hyper-V overview in Windows Server 2012
Hyper-V in Windows Server 2008 and Windows Server 2008 R2 technical library on TechNet
Developer resources for Hyper-V Extensible Switch in the Microsoft Developer Network (MSDN) library
Protected 802.3 Ethernet connections using switch-based 802.1X Authenticated Wired Access