The upcoming extensible Hyper-V virtual switch in Windows Server 2012 should alleviate many of the networking burdens associated with Microsoft’s virtualization platform, bringing it one step close to vSphere.
More on virtual network monitoring
How promiscuous mode affects virtual network security
Simplifying virtual networking with Converged Network Adapters
Network virtualization technology FAQ
Previously, the Hyper-V virtual switch was a proprietary Microsoft technology, and vendors could not write extensions for it. Microsoft will now provide an application programming interface (API), so vendors can exploit the virtual switch’s capabilities.
The idea is that third-party vendors should then be able to provide virtual network monitoring tools that are comparable to their physical-networking products. As of last year’s Build conference, Broadcom, 5nine, Cisco Systems, inMon and NEC had all created extensions for the Hyper-V virtual switch. In fact, it seems likely that many vendors will provide methods for monitoring physical and virtual networks through a single pane of glass.
Virtual network monitoring in the Dark Ages
In Windows Server 2008 R2, the virtual machines (VM) traffic residing on a common host is invisible to network-monitoring software. The traffic passes only through a virtual switch and never actually traverses the physical network.
As a result, organizations developed various plans to secure or monitor traffic among virtual machines. For example, some data centers created a separate virtual switch for each VM. When properly executed, this technique ensures that all virtual machine traffic eventually makes its way through the physical network, where it can be monitored. But this method increases network bandwidth utilization, and hardware limitations often make it impractical -- especially if those limitations inhibit the use of this technique in a failover cluster. Most host servers cannot accommodate as many physical network interface cards as virtual machines.
Another common technique pairs a software firewall with each VM. This approach doesn't usually enable virtual network monitoring, but provides a level of isolation, as it prevents communication between VMs. That said, in a multi-tenant environment, you can more efficiently achieve VM isolation through the use of VLANs.
Enter the extensible Hyper-V virtual switch
With an extensible Hyper-V virtual switch, admins can purchase a third-party management product to more easily monitor network traffic, while still retaining the core Hyper-V switch. In essence, admins will not have to replace the entire Hyper-V virtual switch; they can just add capabilities it.
Virtual-switch extensions will use a Microsoft API, based on the Windows Presentation Foundation. As such, vendors that create virtual switch extensions will use Microsoft-approved methods and tools. Microsoft also offers a certification program for virtual switch extensions, which should help to decrease the number of bugs that customers encounter.
Probably the nicest thing about the extensible virtual switch is that Microsoft designed the virtual switch and API to guarantee that extensions are first-class network citizens. In other words, the extensions add capabilities to the Hyper-V virtual switch, rather than replacing it with the vendor’s proprietary code. This means the extension should never impede core Hyper-V functionality, such as live migration. All Hyper-V 3.0 features should continue to work even when you add a virtual switch extension.