Howto create a Virtual Swich for External without creating a Virtual NIC on the root

re: Howto create a Virtual Swich for External without creating a Virtual NIC on the root

Stepping Stone — Thu, 04 Dec 2008 09:16:06 GMT

Hi Robert,

Good information! I've been looking for more information on this. Can you elaborate on the "configurations" or "scenarios" where this would be beneficial.

Also with regards to disabling or unbinding the protocols, would this provide additional security, especially when the host server is physically connected to the internet? Even on the private side, most configurations we have run into, very few define the IPV4 or IPV6 stacks; running them as dymanic IPs. Would it be possible, hack their subnets and spin up a DHCP server and started sending trash IPs over so when they attempted to connected to the host box……DOS. Which brings me to another question, should those virtual nics’ IP be define and if so, what IPV4 and IPV6 subnets, same or different subnet? Thanks!

Best regards,

Bryant Fong

re: Howto create a Virtual Swich for External without creating a Virtual NIC on the root

robertvi — Fri, 05 Dec 2008 15:12:30 GMT

Hi Bryant,

it depends on which Networks/Subnets you connect your NICs. A common scenario is to have multiple NICs in the same host connected to the same subnet. You use one as dedicated for the host, but all the autocreated ones are then redundant. The host has then multiple ways to talk to the same subnet and will pick one he thinks to be the best one. No load balancing or failover will take place in this scenario though.

It's not desireable that the host picks one of the autocreated ones. So in this configuration I'd recommend to disable them or use the script, so you don't get them in the first place.

If your host needs to be multihomed in different subnets, you will need the autocreated NICs.

Regarding security, if your VMs are connected via the switch to a "unsecure" network, having the autocreated NIC enabled, with bindings, exposes the host as well to this network. Just as without Hyper-V..

Cheers

Robert

re: Howto create a Virtual Swich for External without creating a Virtual NIC on the root

Stepping Stone — Sun, 07 Dec 2008 09:02:01 GMT

Hi Bryant,

my script is essentially creating a Dedicated Virtual NIC as John describes.

Disabling the autocreated NIC's or creating Dedicated Virtual NICs doesn't put more load on the host.

When a VM needs to talk to the host, one might be concerned that the traffic then goes outside the box and will be reflected by the switch. If this traffic is huge (e.g Backup of the VM) I'd think about another Private Network between Host and VMs.

Cheers

Robert

Hi Robert,

Great info. So, let me confirm here. A few of my colleague have this notion that unbinding the nic puts all the traffic on the Host/Parent Nic which essentially opens the door to create additional security nightmares:

Either running the scripts above or disable (clearing) the all the binds for the protocols/services, limits how the host/parent partition from being access.

Also I found this link: - http://blogs.technet.com/jhoward/archive/2008/06/17/hyper-v-what-are-the-uses-for-different-types-of-virtual-networks.aspx

Which mentions a forth network type called “dedicated virtual network” / Parent partition to externally located servers. Would that be the same as what your script is trying to do? Thanks again!