A previous article in this series covered the steps required to install Windows Server 2012 Hyper-V using Server Manager, Windows PowerShell, and the Deployment Image Servicing and Management (DISM) tool. That article also reviewed the initial Hyper-V network environment, including the configuration of external, internal, and private virtual switches, as well as the virtual local area network (VLAN) setting integration.
Windows Server 2012 R2 Hyper-V has a plethora of new networking features that improve the functionality provided in previous Hyper-V versions before Windows Server 2012. This article highlights more advanced network configuration options that greatly enhance the performance and security of Hyper-V hosts. The GUI and Windows PowerShell are used to explore different configuration options that can be very effective in managing stressful virtualized workloads.
Hyper-V MAC address range
When Hyper-V is installed, a MAC address pool is created. By default, Hyper-V dynamically assigns MAC addresses from this pool to each virtual network adapter at the time new virtual machines are created or when a new virtual network adapter is added to the VM. To access the MAC Address Range, in Hyper-V Manager right-click the Hyper-V host name and choose Virtual Switch Manager from the shortcut menu. Then under Global Network Settings click on MAC Address Range (see Figure 1 below).
Let’s examine the address range in Figure 1.
- * 00-15-5D: Represents theMicrosoft IEEE Organizationally Unique Identifier. You will use this portion of the MAC address in all Hyper-V hosts.
- * 07-2F: These two bytes come from the first IPv4 Address of the host. The two lowest octets are converted to hexadecimal. 07-2F maps to 7.47. In this case, the first IP address of the host was 192.168.7.47.
- * 00 to FF: The last byte shows a minimum of 00 and FF as maximum. This indicates a pool of 256 possible MAC addresses in the following range:
- * 00-15-5D-07-2F-00: First MAC address (minimum)
- * 00-15-5D-07-2F-FF: Last MAC address (maximum)
The MAC Address range is also available in the Windows Registry on the following path: Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Virtualization (see Figure 2).
The Virtual Switch Manager, the Windows Registry or Windows PowerShell can be used to increase the number of MAC addresses. Let’s say that you need to boost the number of MAC addresses from the default of 256 to 1,024 using Windows PowerShell. Here is the command:
- * Set-VMHost -MacAddressMinimum “00-15-5D-07-C0-00” -MacAddressMaximum “00-15-5D-07-C3-FF”
The new valid MAC address range from C0-00 to C3-FF allows 210 = 1,024 possible values in the pool. This change will not affect the currently used Mac addresses on running virtual machines.
This built-in quality of service (QoS) policy setting makes it possible to set bandwidth throttle per virtual adapter on each virtual machine. By setting up the minimum and maximum values in megabits per second (Mbps), you can limit the network usage, prioritize traffic, and enhance the performance of selected virtual machines running mission critical applications and services. When configured, like a traffic cop, this feature does not allow speeding and it prevents bandwidth utilization beyond the specified rate limit. The minimum setting works as a pledge to ensure that the virtual machine has a committed capacity on that network adapter in times of contention.
Using Windows PowerShell, the command below sets the maximum and minimum bandwidth values on a virtual machine named DC1:
* Set-VMNetworkAdapter -VMName DC1 -MaximumBandwidth 75MB -MinimumBandwidthAbsolute 25MB
You may want to gauge the workload of the virtual network adapters before and after enabling bandwidth management. Hyper-V has a built-in metering resource process that measures resource usage by one or multiple virtual machines. You can enable Hyper-V resource metering by running the following Windows PowerShell command:
- * Enable-VMResourceMetering –VMName DC1
The above command instructs Hyper-V to start collecting resource utilization data for DC1. The collected data includes virtual network adapters’ incoming and outgoing network traffic.
Performance monitor also provides several important performance counters, among them:
- * Hyper-V Virtual Network Adapter(*)\Bytes/sec:This counter tracks the total number of bytes per second sent and receive over a virtual NIC.
- * Hyper-V Virtual Network Adapter(*)\Bytes Received/sec: This counter tracks the total number of bytes received per second on a virtual NIC.
- * Hyper-V Virtual Network Adapter(*)\Bytes Sent/sec: This counter represents the total number of bytes sent per second on a virtual NIC.
Hardware Acceleration Features
Even though some of the hardware acceleration features are enabled by default in a virtual network adapter, that does not mean the virtual machine is actually implementing them. All the hardware acceleration settings require hardware support. To configure virtual machine network adapter hardware acceleration settings, open the Hyper-V Manager console, right-click on the VM and choose the “Settings” command from the shortcut menu. In the “Settings for the VM” box, select the network adapter that you want to manage and click on the plus icon (+) to access the hardware acceleration section (see Figure 3).
Let’s review these brawny hardware acceleration features to see how they can improve Hyper-V’s performance:
Virtual Machine Queue
VMQ is enabled by default but, like other hardware acceleration settings, it must be supported by the underlying physical network adapters. This is a dynamic activity that improves virtual machine performance by spreading the network processing workload across all available CPUs in the Hyper-V host. VMQ allows the presence of multiple, separate queues on the physical network adapter. Each queue is mapped to a specific VM; every VM has its own dedicated NIC, since the physical adapter appears to the virtual machines as multiple network interface cards. VMQ abates some of the labor on the Hyper-V switch as the host network adapter passes DMA packets directly into the memory stack of individual virtual machines. The traffic still goes through the virtual switch. To disable virtual machine queue (VMQ), uncheck the “Enable Virtual machine” queue option.
The following Windows PowerShell command disables VMQ on a VM name DC1:
- * Set-VMNetworkAdapter -VMName DC1 -VMQWeight 0
To re-enable it:
- * Set-VMNetworkAdapter -VMName DC1 -VMQWeight 1
IPSec Task Offloading
Encrypting and decrypting IPsec packets is a CPU-intensive operation that may slow down a Hyper-V host running multiple VMs. Enabled by default, this feature alleviates CPU utilization by offloading the processing of IPSec traffic to the physical network adapter. Depending on the capabilities of the physical NIC, you can configure the maximum number of offloaded security associations in a range between 1 and 4,096.
The following command disables IPSec Task Offloading on a VM name DC1:
- * Set-VMNetworkAdapter -VMName DC1 -IPsecOffloadMaximumSecurityAssociation 0
To re-enable the functionality:
- * Set-VMNetworkAdapter -VMName DC1-IPsecOffloadMaximumSecurityAssociation 1024
Single-root I/O virtualization (SR-IOV)
SR-IOV allows the VM to bypass the virtual switch and directly access a physical network adapter. Implementing SR-IOV reduces network latency for virtualized workloads, increases network throughput, and takes pressure off CPU utilization. This feature demands a SR-IOV-capable PCI Express network adapter, system BIOS support and, even though Hyper-V server does not require Second Level Address Translation (SLAT) to run, SLAT is a requirement for SR-IOV to work. Before enabling it on the virtual network adapter, SR-IOV must be enabled on the external virtual switch. You can enable SR-IOV on an external switch only when you create the switch. To enable SR-IOV on a virtual NIC, select the check box labeled “Enable SR-IOV.”
Using Windows PowerShell, you can run the following command to enable SR-IOV on all virtual network adapters in a VM name DC1:
- * Get-VM DC1| Set-VMNetworkAdapter –IovWeight 1
Virtual Network Adapter Advanced Features
To configure a virtual machine network adapter advanced features, open the Hyper-V Manager console, right-click on the VM, and choose the “Settings” command from the shortcut menu. When the “Settings for the VM box” appears, select the network adapter that you want to manage and click on the plus icon (+) to access Advanced Features. (See Figure 4).
Let’s take a closer look at these options.
The default setting is dynamic MAC address assignment, which means that the virtual machine gets a different MAC address every time you turn it on. This MAC address comes from the pool of MAC addresses described earlier. To change the default configuration to a static MAC address, the VM must be turned off first. The MAC address spoofing option allows virtual machines to change the source MAC address in outgoing packets from the one originally assigned to them. This may be needed when the virtual machine is participating in a network load balancing (NLB) cluster that requires that all cluster nodes use the same MAC address for outgoing traffic.
Using PowerShell, the following command configures a static MAC address and turns on MAC address spoofing in a virtual network adapter named Ethernet1:
- * Set-VMNetworkAdapter –VMNetworkAdapter Ethernet1 -StaticMacAddress “00165D078A01” -MacAddressSpoofing On
To enable dynamic MAC address allocation:
- * Set-VMNetworkAdapter –VMNetworkAdapter Ethernet1 -DynamicMacAddress
DHCP guard is not enabled by default. This security setting is designed to protect other computers on the LAN from the possibility of a rogue DHCP server running in this virtual machine. With DHCP guard disabled, an unauthorized DHCP server could accidentally dole out conflicting or invalid IP addresses on the network. This is a potential security risk, as a DHCP server may dispense mischievous IP settings to redirect the DHCP client’s traffic to hurtful destinations. Enabling DHCP Guard prevents the virtual machine from answering DHCP clients’ requests; even if a DHCP server is running in the virtual machine, it will not be able to offer TCP/IP settings over this virtual network adapter.
The following PowerShell command enables DHCP guard on a virtual network adapter name Ethernet1:
- * Set-VMNetworkAdapter – VMNetworkAdapter Ethernet1 – DhcpGuard On
To enable DHCP guard on all the network adapters on the virtual machine, run this command:
- * Set-VMNetworkAdapter * -DhcpGuard On
This is another security feature that is disabled by default. As with DHCP guard, router guard aims to thwart rogue router advertisements and avert man-in-the-middle type attacks. Selecting the “Enable router advertisement guard” check box will prevent this virtual machine from sending router advertisements and redirection messages over this virtual network adapter to other devices in the network. When you enable router guard, you explicitly tell Hyper-V that this virtual machine is not allowed to provide routing advertisement services even if the routing and remote access service are configured for IP forwarding.
The following PowerShell command enables router guard on a virtual network adapter named Ethernet1:
- * Set-VMNetworkAdapter – VMNetworkAdapter Ethernet1 – RouterGuard On
To enable DHCP guard on all the network adapters on the virtual machine:
- * Set-VMNetworkAdapter * – RouterGuard On
Enabled by default, this option supports network health detection and recovery when the virtual machine is running on a server that is a member of a failover Hyper-V cluster. This setting allows a failover Hyper-V cluster to detect a network outage on a protected virtual network and initiate a live migration of the affected virtual machine to another Hyper-V host in the cluster on which that external virtual network is available.
This is really a cluster monitoring option. You may want to prevent non-critical virtual machines from live-migrating when this type of network outage occurs. To disable this feature, the virtual machine does not need to be turned off: Just uncheck the “Protected network” box. Using PowerShell, you can run the following command to disable “protected network” on all the virtual network adapters on a VM name DC1.
- * Set-VMNetworkAdapter –VMName DC1 –VMNetworkAdapterName * -NotMonitoredInCluster $True
This feature facilitates monitoring of the incoming and outgoing traffic for virtual machines. Traffic sent to or from a Hyper-V virtual switch port is copied and directed to another port. This functionality can be very helpful in troubleshooting traffic, security evaluation, network diagnostics, and performance management. The port mirroring mode is set to “None” by default. You configure port mirroring by setting one virtual machine as the source and another VM as the destination. Both the source and destination virtual network adapters must be on the same virtual switch. The virtual switch copies all traffic from the source virtual network adapter to the destination adapter. Usually a network monitoring application or sniffer program is installed on the virtual machine that has the virtual network adapter configured as the destination.
Let’s say that we want to configure port mirroring using two virtual machines. The VM from which the traffic is going to be copied is named SourceVM and the VM to which traffic is going to be sent to is named SnifferVM. Using PowerShell, we can run the following commands:
- * Set-VMNetworkAdapter SourceVM -PortMirroring Source
- * Set-VMNetworkAdapter SnifferVM -PortMirroring Destination
To disable port mirroring in all the network adapters:
- * Set-VMNetworkAdapter * -PortMirroring None
Windows NIC teaming is also known as load balancing and failover (LBFO). Enabling this setting allows you to group multiple virtual network cards on a virtual machine into a single virtual team network adapter. The virtual team adapter aggregates the bandwidth and provides redundancy, regardless of whether or not NIC teaming is configured on the Hyper-V host.
To enable NIC teaming on a virtual machine name DC1 using Windows PowerShell, run the following command:
- * Set-VMNetworkAdapter DC1 -AllowTeaming On
Most of the configuration options that we reviewed in this article were not available before Windows Server 2012. Features like bandwidth management, dynamic VMQ, IPSec task offloading, SR-IOV, DHCP guard, router guard, protected network, port mirroring, and NIC teaming bestow levels of performance and security that make Windows Server 2012 R2 Hyper-V a stronger competitor to VMware in many data centers.