Wednesday, March 4, 2009

Hyper-V and VLANs

Hyper-V supports VLAN tagging, it has been brought to my attention that some folks might not be familar with this concept; lets cover the basics VLAN tagging and how it works and relate it to Hyper-V.

If you are not already familiar with VLAN tagging; it can be described as a way to segment traffic on your network. VLAN is just an abbreviation for Virtual LAN. Is this specific to Hyper-V? No. VLAN tagging has been around for a while now. And was origionally implemented on physical switches and routers before it first appeared in virtual switches.

A Virtual LAN is accomplished by adding a VLAN tag to the header of an IP packet. In most environments this action is actually performed by a network switch.

Before switch and router vendors implemented VLAN tags, it was more common to acheive traffic isolation through subnetting (creating different subnets) or through physical traffic isolation (hard wired isolation).

The important part to know about VLAN tags is that for them to work, all of your networking infrastructure must know how to handle them - since they affect the routing of the packets and are part of the TCP/IP packet itself.

Therefore, your routers and your switches must know how to evaluate a VLAN tag in order to determine where to route a particular packet.

There are many ways to implement VLAN tags in an infrastructure - the most common is to apply a VLAN tag to a switch port. In this model the switch adds the VLAN tag to all IP packets that flow through that port.

Just like physical switches, the virtual switches within Hyper-V can do this the same way.

In the virtual machine setting dialog you can assign a VLAN tag to the virtual machine. What this does is actually apply that tag to the port of the virtual switch in the same way a physical switch does.

The only difference is that in the virtual world, the setting moves with the VM so you might not realize that the VLAN tag is actually a setting that is used by the virtual switch that runs within Hyper-V.

Now, can this be used to route traffic between virtual machines? Yes. Even if those virtual machines reside on different hosts.

(If you have VMs on the same host that need to talk privately, use and internal or private network).

However - when the VM traffic leaves your Hyper-V host, it is now traveling on the physical wire. When it passes through a physical switch or router - those devices must know how to deal with a TCP/IP packet with a VLAN tag.

This is where the physical and virtual networking must support each other. If you decide to implement VLAN tags, then you are doing it across both the virtual and physical network devices.

Do you have to use VLAN tags? Not at all.

Like I mentioned, before VLAN tags we used subnetting, or physical isolation - all of these scenarios can be used.

Be sure to talk to your networking counterparts before you begin going down the road of VLAN tags as it can get complex pretty quickly.

2 comments:

Сашо said...

"adding a VLAN tag to the header of an IP packet" - I really hope you don't believe that!

BrianEh said...

That is not technically correct, I admit that. However, I feel that the description does relate the idea to a person that does not have any background in the concept. Which is who the post was intended for.

I would love a good, basic way, to describe the concept without getting into the fine detals of an IP packet (headers, frames, etc.).

I also like this descrption from Wikipedia: "The IT department assigns a unique VLAN per department. Edge switches on the corporate network are configured to insert an appropriate VLAN tag into all data frames arriving from equipment in a given department. After the frames are switched through the corporate network, the VLAN tag is stripped before the frame is sent back to the department's equipment, possibly at a different geographical location. In this way, traffic from one department cannot be leaked to or snooped from another department."

It also relates the concept well.

I refer to Wikipedia for the detailed, and in-depth description - that link is in the post.