software-implemented Layer 2 networking switch that provides network connectivity between virtual machines, the Hyper-V host, and physical networks. The Hyper-V virtual switch provides more functionality than simply forwarding data packets between computers that are connected to virtual switch ports. It also provides the following functions:
• Inspect network packets. • Limit bandwidth.
MCT USE ONL
Y. STUDENT USE PROHIBITED
4-14 Creating and Configuring Virtual Machine Networks
• Block suspicious network activity. • Perform network virtualization.
You can use Hyper-V Manager to configure some of the Hyper-V virtual switch functionality and expanded features, such as configuring virtual machine networking adapter settings. However, you must use Windows PowerShell to configure some of the other features. The Hyper-V virtual switch expanded functionality includes the following features:
• ARP/ Neighbor Discovery Poisoning (spoofing) protection. This feature provides protection against malicious virtual machines that try to use Address Resolution Protocol (ARP) spoofing to associate their media access control (MAC) addresses with the IP addresses of another virtual machine. By doing this, they effectively steal IP addresses and intercept network traffic that is being sent to other virtual machines. This feature also provides protection against attackers who use IPv6 Neighbor Discovery spoofing.
You can enable this feature in the Advanced Features settings for the virtual machine network adapter by selecting the Enable router advertisement guard option. You can also enable it by using the Windows PowerShell cmdlet Set-VMNetworkAdapter. For example, if you want to enable this feature on a network adapter in a virtual machine named VM1, you would run the following cmdlets:
$vmNIC = Get-VMNetworkAdapter -VMName VM1
Set-VMNetworkAdapter -VMNetworkAdapter $vmNIC -RouterGuard On
• DHCP guard protection. This feature protects against a malicious virtual machine that is running a rogue DHCP server that can be used for man-in-the-middle attacks. If you enable the DHCP guard protection option, the virtual switch drops DHCP acknowledgement packets that the virtual machine sends. This effectively prevents other computers from obtaining TCP/IP configuration from the DHCP server that is running in the malicious virtual machine.
You can enable this feature in the Advanced Features settings for the virtual machine network adapter, by selecting the Enable DHCP guard option. You also can enable this feature by using the Windows PowerShell cmdlet Set-VMNetworkAdapter. For example, if you want to enable this feature on a network adapter in virtual machine named VM1, you can run the following cmdlets:
$vmNIC = Get-VMNetworkAdapter -VMName VM1
Set-VMNetworkAdapter -VMNetworkAdapter $vmNIC -DHCPGuard On
• Port ACLs. The virtual switch performs traffic filtering based on MAC or IP addresses and ranges. With this feature, you can set up virtual network isolation by creating two lists: a list of computers with which a virtual switch port can communicate (white list), and a list of computers with which a virtual switch port cannot communicate (black list). A network port ACL has several entries, which include a network address and an associated permit, deny, or meter action. When a network packet matches one of the entries, the virtual switch takes the appropriate action.
Port ACLs can be based on MAC address, IPv4 address, or IPv6 address. You can configure this feature only by using Windows PowerShell, by running the Add-VMNetworkAdapterAcl cmdlet. For example, if you want to allow network traffic in both directions between a virtual machine named VM1 and computers on the 10.0.0.0/8 subnet, you can run the following cmdlet:
Add-VMNetworkAdapterAcl -VMName VM1 -RemoteIPAddress 10.0.0.0/8 -Direction Both -Action Allow
• Trunk mode to a VM. A VLAN logically isolates computers that are connected to the same local network, irrespective of their actual physical location. By using VLANs, you can assign computers on different switches to the same Layer 2 broadcast domain. This enables network communication between the computers while they are isolated from the other computers that are either assigned to
MCT USE ONL
Y. STUDENT USE PROHIBITED
Server Virtualization with Windows Server Hyper-V® and System Center 4-15
a different broadcast domain or have a different VLAN ID. A VLAN trunk enables traffic from multiple VLANs to be visible and accessible on the same network adapter, as defined in the IEEE 802.1Q standard.
Prior to Windows Server 2012 Hyper-V, the virtual switch did not have the ability to set a switch port to trunk mode, and you could not have multiple VLANs assigned to the same virtual NIC. Hyper-V in Windows Server 2012 supports the IEEE 802.1Q standard, and can forward traffic from multiple different VLANs to the same network adapter. You can configure this feature only by using Windows PowerShell, by running the cmdlet Set-VMNetworkAdapterVlan. For example, if you want to enable trunk mode to a virtual machine named VM1, you would run the following cmdlets:
$vmNIC = Get-VMNetworkAdapter -VMName VM1
Set-VMNetworkAdapterVlan $vmNIC -Trunk -AllowedVlanIdList 1-100 -NativeVlanId 10 • Network traffic monitoring. You can use this feature to monitor and review all incoming or outgoing
network traffic that the network switch is forwarding to a specific virtual machine network adapter. When you configure this feature, network traffic is copied and you can view it inside a virtual machine by using a packet capture tool such as Network Monitor.
You can enable this feature in the Advanced Features settings for the virtual machine network adapter by configuring the port mirroring mode. You can also configure it by using the Windows PowerShell cmdlet Set-VMNetworkAdapter. For example, if you want to configure network traffic monitoring for a virtual machine named VM1, you would run the following cmdlets:
$vmNIC = Get-VMNetworkAdapter -VMName VM1
Set-VMNetworkAdapter $vmNIC -PortMirroring Source
• Isolated VLAN or private VLAN. Private VLANs were introduced to help with VLAN scalability issues. A private VLAN consists of a primary VLAN, which has secondary VLANs. The secondary VLAN IDs differentiate the various private VLANs, and all secondary VLANs share the same primary VLAN ID. Private VLANs are designed to reduce the number of IP subnets and VLANs for some types of network configurations. The virtual switch supports private VLANs to restrict communication between computers on the same VLAN or network segment.
Private VLANs support an isolated mode in which virtual machines can share the same VLAN ID, but can only communicate externally. You can configure this feature only by using Windows PowerShell, by running the cmdlet Set-VMNetworkAdapterVlan. For example, if you want to configure private VLAN for a virtual machine named VM1 and configure it with primary VLAN ID 10 and secondary VLAN ID 200, you would run the following cmdlet:
$vmNIC = Get-VMNetworkAdapter -VMName VM1
Set-VMNetworkAdapter $vmNIC -Isolated -PrimaryVlanId 10 -SecondaryVlanId 200 • Bandwidth limits and burst support. By setting a minimum bandwidth, you can guarantees at least
that amount of bandwidth for the virtual machine network adapter. The maximum bandwidth setting specifies the maximum amount of bandwidth that a virtual machine network adapter can consume. You can enable and configure this feature only for network adapters, and not for legacy network adapters.
You can enable and configure this feature on the virtual machine network adapter settings, or by using the Windows PowerShell cmdlet Set-VMNetworkAdapter. For example, for a network adapter in a virtual machine named M1, if you want to specify a minimum bandwidth of 10 megabytes (MB) and maximum bandwidth of 1 gigabyte (GB), you can run following cmdlets:
$vmNIC = Get-VMNetworkAdapter -VMName VM1
MCT USE ONL
Y. STUDENT USE PROHIBITED
4-16 Creating and Configuring Virtual Machine Networks
Question: Do you need to enable DHCP guard protection on each virtual machine that you want to protect from obtaining TCP/IP configuration from the rogue DHCP server?