Deploying Network Load Balancing (NLB) and Virtual Machines on Windows Server 2008 R2

Deploying Network Load Balancing (NLB) and Virtual Machines on Windows Server 2008 R2

Rate This
  • Comments 12

When running NLB as a Virtual Machine (VM) guest using Windows Server 2008 R2 Hyper-V you need to be aware of some specific configurations settings in Hyper-V host prior to configuring NLB.

 

In Hyper-V, the VM host prevents dynamic MAC address updates as an extra layer of security in the datacenter.  This is because the VM may have full administrator rights, yet it may be untrusted in the datacenter, for example when the VM hosting is provided by an independent hosting company.  In this scenario, we need to make sure that one VM cannot cause a DOS or information disclosure attack against another VM.  If a VM is able to spoof its MAC address, then it can spoof the MAC addresses of other VMs and impact other VMs on that host.  The physical switches have similar protections and it is up to the admin to enable that protection or not.

 

If you do not enable spoofing of MAC address prior to configuring NLB on the VM you could potentially have problems with the NLB cluster. 

 

When configuring NLB in unicast mode on Hyper-V with enable spoofing of MAC Address disabled you may see some of the following symptoms:

·         When initially configuring NLB you will lose network connectivity on the network adaptor NLB was configured on.

·         There will be an NLB error event in the Windows Event Log stating that the network adaptor does not support dynamic MAC address updates.

·         After rebooting the server, NLB will appear to be bound to the network adapter, but the cluster VIP will not have been added to the network adaptor.

·         The cluster MAC address will still be the original MAC address associated with the network adaptor prior to configuring NLB.   Use CMD> ipconfig /all to view the MAC address.  It should start with "02-BF-***"

·         If you ignore all previous symptoms and manually add the VIP you could get an IP conflict if there are other nodes in the cluster that have the same VIP. 

 

With that said, to allow VM guests to run NLB you need to set the VM property for "Enable spoofing of MAC Address". 

 

To enable spoofing of MAC Addresses open the Hyper-V management console.  Make sure the VM is stopped open the properties of the VM.  Select the Network Adaptor for the NLB VM and check the "Enable spoofing of MAC Address" and click OK.  Then start the VM. 

 

Thanks,
Gary Jackman
Software Test Engineer
Clustering & High-Availability
Microsoft

Leave a Comment
  • Please add 7 and 1 and type the answer here:
  • Post
  • This setting does not seem to be persistent across nodes in a Hyper-V R2 failover cluster. I enable it on one failover cluster node, then flip the NLB machine over to the other failover cluster node, but it is now disabled. I shut the NLB machine down, then clip it back to the first failover cluster node, and it is again disabled.

    Hence, NLB does not work in a Hyper-V cluster.

  • Hi Ian,

    These settings only persist within a switch (either physical or virtual).  So if all your LB-VMs are on a single node which uses a single virtual switch, things work.  If you have a 1:1 mapping of LB-VMs to cluster nodes (1 LB VM per node), and they are balanced using a physical switch and the VM is bound to the physical NIC, and this works.  You can have mulitple groups of LB-VMs within a single cluster.

    When you failover a VM to another node, it probably goes to a different switch (P or V), hence the setting does not persist.

    Thanks,

    Symon Perriman

    PM - Cluster & NLB

    Microsoft

  • Hi Simon,

    Thanks for the reponse. I'm a bit confused though; doesn't each Hyper-V node in the failover cluster, by definition, use its own virtual switch? If that is true (and I don't see how it couldn't be), then it seems to me that your only hope of getting this working its to have two NLB-VM's on the same node connected to the same virtual network. If the NLB-VM's are on different cluster nodes, won't they by definition be on different virtual switches and hence NLB will never work?

    Not undestanding yet...

    Ian

  • Hi Guys.

    I too have NLB Virtual Machines on multiple Hper-V R2 Nodes and i ma getting alot of funnies. Can you guys confirm if the NLB Virtual Machines should be running on 1 Single Hyper-V Node.

    Shane

    shane.prince@za.didata.com

  • Hi Guys.

    I too have NLB Virtual Machines on multiple Hper-V R2 Nodes and i ma getting alot of funnies. Can you guys confirm if the NLB Virtual Machines should be running on 1 Single Hyper-V Node.

    Shane

    shane.prince@za.didata.com

  • I am also having the same issues as Shane

  • I am also having the same issues as Shane

  • I am also having the same issues as Shane

  • wonderful article

  • Not only is MAC Address Spoofying an important consideration while setting up W2K8R2 NLB, but you would also like to make sure that Static MAC of the NLB is configured for the NLB NIC and then MAC spoofying enabled.

    Guys, do not forget this.

    If any of you have issues with Static Routes/unable to ping other VM's on the network or connectivity issues feel free to write me on savio_f1@hotmail.com

    Savio

  • Is this option available on Windows 8, Client Hyper-V? I don't see Enable spoofing of MAC Address option in client hyper-v.

  • Hi Gary,

    Can you help me with my below mentioned concern.

    ********************************************************************************

    I have VMware Workstation 8 wherein I have deployed server 2008.Node1 has 2 NIC (10.1.1.5 and 192.168.1.49),Node 2 also has 2 NIC installed(10.1.1.10 and 192.168.1.50)..

    The problem I am facing is that I can add Node1 to my cluster configured as 10.1.1.13 and it is getting converged with no problems but Node 2 loses its network connectivity as soon as I add Node2 to my cluster.Node 2 fails with error message "NLB not bound"

    *********************************************************************************

    I would really appreciate if you can get me out of this mess !!

    Thanks,

    Karan Walia

Page 1 of 1 (12 items)