When configured correctly, VMs operating in a virtualized environment can talk to each other and communicate with...
the servers connected to external networks. In a multilayered virtual networking architecture, it is essential that you pay attention to what is being sent and received over the network for your virtualized workloads. This is to ensure that network performance is good, your virtual networking infrastructure complies with IT security standards and the network is stable for network-intensive applications such as SQL, Exchange or Oracle.
Available as part of the Hyper-V extensible switch, Hyper-V Port Mirroring is one the new features introduced in Windows Server 2012 Hyper-V. Hyper-V Port Mirroring helps capture incoming and outgoing network traffic from a VM running on Windows Server 2012 and later Hyper-V hosts and then forwards network traffic copies to another VM configured for monitoring.
Although the primarily purpose of port mirroring is to capture network traffic for a VM, it has a number of other potential uses. For example, organizations may also use the feature to learn what packets a VM sends out and then analyze those packets for security purposes. Port Mirroring can also block unnecessary network traffic travelling from VMs, check network communication traffic between two VMs and diagnose network issues.
Configuring VMs for Hyper-V Port Mirroring
In order to use Hyper-V Port Mirroring, you'll need at least two VMs: one configured as the source, and the other configured as the destination. The source VM is the VM whose network traffic needs to be captured; the destination VM will receive the network traffic from the source VM. Both VMs must run on a local Hyper-V host running Windows Server 2012 and later OSes. Hyper-V Port Mirroring is not supported for VMs running on a remote Hyper-V host.
You can use either Hyper-V Manager or PowerShell cmdlets to configure source and destination VMs. To configure Port Mirroring using Hyper-V Manager, go to the property options of the source VM, navigate to the Network Adapter section, expand to see "Advanced Features" section and then, in the right pane of the Port Mirroring section, select "Source" as the Mirroring mode as shown in Figure A:
Click "OK" and "Apply" to save the settings. Once this is done, select a VM to act as a destination to receive the incoming and outgoing network traffic from the source VM. Follow the same steps shown above to configure the destination VM, but this time select "Destination" as the Mirroring mode.
If you intend to use PowerShell to enable Port Mirroring for source and destination VMs, use the commands shown below:
Set-VMNetworkAdapter "Source-VM" –PortMirroring Source
Set-VMNetworkAdapter "Destination-VM" –PortMirroring Destination
In case VMs are attached to multiple virtual network interface cards (vNIC), use the following PowerShell commands to help you set Port Mirroring for the right vNIC:
Get-VMNetworkAdatper VM1 | ? MacAddress –eq "<MAC-Address-here>" | Set-VMNetworkAdapter VM1 –PortMirroring Destination
If you wish to disable Port Mirroring for VMs, use "None" in place of both Source and Destination, as shown in the following commands:
Set-VMNetworkAdapter "Source-VM" –PortMirroring None
Set-VMNetworkAdapter "Destination-VM" –PortMirroring None
Port Mirroring scenarios
There are a couple of scenarios where Port Mirroring can be useful. For example, you can use Hyper-V Port Mirroring to capture network traffic from a VM that is connected to a virtual switch. This is called capturing "internal" network traffic. In this scenario, one VM whose network traffic needs to be captured is acting as "source" and the VM that captures and displays the traffic is called "destination".
In case you need to capture "external" network traffic, such as incoming network traffic from a physical server to a VM, you can enable Hyper-V Port Mirroring at the virtual switch level and then configure a VM for monitoring the traffic received from a virtual switch.
There can be multiple sources and destinations. For example, you can have three destination VMs to monitor traffic from a single VM acting as a source, but this scenario is not useful unless you want traffic for one VM to be monitored by three individuals or teams.
Capturing VLAN tagged traffic
Should you encounter a situation where VLAN tagging is configured for VMs and you want to monitor the tagged traffic for one or two VMs on a third VM, you need to configure the target VM -- the VM that is going to capture network traffic -- in trunk mode. For example, let's say you want to capture network traffic between IIS and SQL with packets tagged with VLAN ID 102 and then send traffic copies to a third VM configured as a destination.
To do so, run the commands shown below on Hyper-V host to configure both IIS and SQL VMs in Access mode and set these VMs as the source.
Set-VMNetworkAdapterVLan IIS –Access –VlanID 102
Set-VMNetworkAdapter –IIS –PortMirroring Source
Set-VMNetworkAdapterVLan SQL –Access –VlanID 102
Set-VMNetworkAdapter –SQL –PortMirroring Source
Configure destination VM in the trunk mode and set it as destination so that IIS and SQL VMs forward the network traffic to it:
Set-VMNetworkAdapterVLan MonitorVM –Trunk –AllowedVLANIDList "102" –NativeVLandID 0
Set-VMNetworkAdapter MonitorVM –PortMirroring Destination
Although Port Mirroring helps capture network traffic in a virtualized environment, many organizations also use it for performance optimization, analyzing security risks and diagnosing network issues. To see the network traffic on the destination, you can use a network capture traffic utility such as Microsoft Network Monitor or WireShark.
Choosing the right network monitoring tool
The top five Windows Server 2012 R2 Hyper-V features
Five compelling reasons to try Hyper-V in Windows Server 2012 R2