The presence of a virtual switch at no additional cost is one of the most significant improvements in Windows Server 2012. Here are five things you might not know about the extensible switch.
1. You can essentially replace the virtual switch within Windows Server 2012 Hyper-V with a Cisco switch.
Perhaps replace isn't the right word, but you can certainly augment the virtual switch to the point of complete transformation. Cisco is offering the
2. There are three supported types of extensibility with the switch.
Third parties and in-house development teams can create these switch extensions to extend the functionality of the switch, like Cisco did. You can create capturing extensions that read and inspect traffic but are unable to modify or drop packets. You also can create filtering extensions that inspect and read traffic, drop, insert and modify packets directly into the transmissions stream; firewall extensions for the virtual switch typically won't use this type of filter. And finally, you can create forwarding extensions that define the destination of packets to different places, as well as capture and filter traffic. The capabilities of each type of extension build on one another.
3. The extensible switch supports access control lists via ports.
This is really useful in multi-tenant deployments, where there are hosted virtual machines (VMs) for a variety of clients on the same set of machines, or for organizations with Chinese firewall-type regulations that require data and access segregation. These companies can now use the same type of security right in the Hyper-V virtual network that has been possible in physical switches and network security devices. The Hyper-V virtual switch can filter port traffic based on IP addresses or ranges or via MAC addresses to identify the specific virtual network interface cards involved and ensure that networks are isolated. This also works with the isolated or private VLAN feature that lets the administrator set up isolated communities of tenants by securing traffic over individual VLANs within the virtual network.
4. There are trunking tools new to Windows that exist within the Hyper-V virtual switch.
There is a set of traffic-routing capabilities that can run within a VM -- making it like an appliance -- as a switch extension (as previously described) or as a service on the hypervisor host. The designated monitoring port copies traffic to the specified VM. When you set the "trunk mode" on a given virtual switch port, all traffic on the virtual network is routed to that VM, making it sit "in front" of the traffic. Traffic is then distributed to other VMs. You can also create a capture extension instance that copies the traffic to a given service for other types of inspection or analysis, and you can set up another extension to tunnel traffic to another network destination as well.
5. You can manage the Hyper-V extensible virtual switch as an independent device from within System Center 2012.
If you have deployed System Center 2012 Service Pack 1, you can add a virtual switch extension manager right to the Virtual Machine Manager console to monitor and manage the settings, features and capabilities of your VMs and the switch from within a single console. You can also do this with other virtual switch extension vendors like Cisco, but you need to first obtain provider software from the vendor, install it on the Virtual Machine Manager server and restart the service.
About the author:
Jonathan Hassell is an author, consultant and speaker on a variety of IT topics. His published works include RADIUS, Hardening Windows, Using Microsoft Windows Small Business Server 2003 and Learning Windows Server 2003. Jonathan also speaks worldwide on topics ranging from networking and security to Windows administration. He is president of 82 Ventures, based in North Carolina, and is currently an editor for Apress, a publishing company that specializes in books for programmers and IT professionals.
This was first published in April 2013