In my first post on Hyper-V VLANs, I talked about the most common scenario for VLANs with Hyper-V, which is using VLAD IDs on the Virtual Machines or the Hyper-V Virtual Switch. Now that I’ve been around the block a few times working with enterprise customers on some more sophisticated scenarios, I think it’s time to touch on other uses for VLANs on Hyper-V Hosts.
To review, there are 3 places to set a VLAN ID: on the physical NIC, on the Virtual Switch (Host), on the Virtual Machine (Guest). Each Virtual Switch and Virtual Machine may only have one VLAN ID assigned, and physical NICs may have multiple.
So, first of all, why do we care about this? Why exactly would we want to make life even more complicated by adding more VLANs at the Host level?
1) Storage Network Segregation. A good example of this is using iSCSI via on-board or add-in NICs. Windows Server iSCSI requirements state: “A physically separate, dedicated storage network” (yes, that means switches dedicated only to iSCSI traffic). However, many datacenters have very expensive, large, beefy core switches with plenty of available capacity they want to take advantage of. VLANs provide a way to isolate that storage traffic without a physically separate storage network.
2) Security. Another use may be that you have traffic on one or more NICs that you want to isolate from the rest of the network for security reasons. In other words, you want to ensure that certain traffic never ends up on an unintended end-point.
3) Performance. In a tradition sense, a VLAN is a logical broadcast domain. Therefore, you can create isolated network broadcast domains without the need for additional routers or devices with VLANs.
4) Other. Just FYI, the original main benefits of VLANs are things like spanning a LAN segment across multiple physical locations, etc.
Anyway, back to our Hyper-V Host… a typical Hyper-V Host using iSCSI storage in a Failover Cluster will need 5 or more gigE NICs:
However, in our example we’re using Blades which are constrained to 4 NICs only. In this case we can combine the Host Management & Cluster Communications networks onto one NIC, use the Virtual Machine NIC as a backup for Cluster Communications, and dedicate 2 NICs to iSCSI. In the below pic, NIC#2 needs to be connected to a switch port configured for Trunk Mode in order to allow Virtual Machines to also use VLAN IDs.
We’re also using HP’s Network Configuration Utility to assign VLANs and other advanced functions.
A very good plan is to include the VLAN ID in your NIC naming scheme so you can correctly identify it in different utilities, such as the Hyper-V Virtual Network Manager:
Q & A
Q: Woah there buddy, you’re allowing Cluster Communications on the Virtual Machine Network (NIC#2). Isn’t that against best-practice?
A: Not really, it’s making the best out of the situation. In Failover Cluster manager we are configuring NIC#1 for “Allow Cluster Communications and Client Connections”. In NIC#2 we’re allowing only Cluster Communications. This provides redundant paths for Cluster Communications while keeping NIC#2’s bandwidth nearly solely dedicated to VM traffic.
Q: What if I want to Team the iSCSI NICs?
A: Don’t do that! It’s not supported. Instead use MPIO which will have the same net-affect.
Q: What if I want to have multiple Virtual Networks and Team them for greater performance and availability of my Virtual Machines?
A: Go for it using a vendor-supported Network Teaming Solution. HP, Intel & Broadcom all have Teaming solutions which work with Hyper-V. Make sure to obtain the very latest NIC drivers and Teaming software and make sure to check with those vendors for specific configuration requirements, such as Using HP ProLiant Network Teaming Software with Microsoft® Windows® Server 2008 Hyper-V which is the first paper I’ve seen which doesn’t tell you how to install and use the software, but rather how to uninstall it! This is because Hyper-V & HP Teaming must be installed in a specific order.
Q: What if I want multiple VLAN IDs on a NIC?
A: Please do! Again, use the vendor-provided software do to so and make sure your switch port is configured for Trunk Mode.
Special thanks to Anthony Ramirez at Fresno Unified School District.