none
Network questions and Microsoft Virtual Network Switch Adapter RRS feed

  • Question

  • Windows 2008 Enterprise with Hyper-v role installed.

    The physical server has 2 onboard NIC configured as a team and I assigned it an IP like: 10.1.1.1

    The physical server also has 2 PCI quadport gigabit for a total of 8 interfaces.

    I created a virtual machine that was to be located in another network (10.2.1.1) and for this purpose I created a virtual network via hyper-v MMC with connection type external and I chose an interface connected to 10.2.x.x network; then I assigned that network to the vm just created.

    It works fine.

    However, when I execute an IPCONFIG command via dos, I notice a strange thing.

    Ethernet adapter Local Area Connection 2:

       Connection-specific DNS Suffix  . :
       Link-local IPv6 Address . . . . . : fe80::7a:a4ea%24
       IPv4 Address. . . . . . . . . . . : 10.2.10.18
       Subnet Mask . . . . . . . . . . . : 255.255.0.0
       Default Gateway . . . . . . . . . : 10.2.0.1

    Ethernet adapter Local Area Connection:

       Connection-specific DNS Suffix  . :
       Link-local IPv6 Address . . . . . : fe80::41d1:166dc%22
       IPv4 Address. . . . . . . . . . . : 10.1.1.1
       Subnet Mask . . . . . . . . . . . : 255.255.255.0
       Default Gateway . . . . . . . . . : 10.1.1.1

    Ethernet adapter Local Area Connection 10:

       Media State . . . . . . . . . . . : Media disconnected
       Connection-specific DNS Suffix  . :

    and a series of disconnected adapter follow here...

    I expected that My host machine, 10.1.1.1 explicit IP address assigned, should only have that Ip and not to be reachable by other network created ONLY to be used with Virtual machines.

    If I ping the hyper-v host (expected to be only in 10.1.x.x) from a 10.2.x.x client it correctly replies  .. but I want it in a DMZ (10.1.x.x) and I bought 2 different nic for this purpose.

    This gives me a big security problem because the firewall has specific rules for each network and this strange behavior leaves the server open to security issues.

    I listed the network connections and I can see the "Microsoft Virtual Network Switch Adapter" , here is the picture of what I am saying http://img155.imageshack.us/img155/8173/81078714.gif

    How can I ISOLATE totally the physical server to be accessed by other virtual network IPs ?

    I hope to have been clear; any help much appreciated.

    Best regards.

    Wednesday, June 17, 2009 10:05 AM

Answers

  • Assuming that you ran IPCONFIG at a command prompt on the Hyper-V host..

    You need to disable the NIC labeled "Ethernet adapter Local Area Connection 2"

    Here is the behavior:
    When an external (or internal) virtual network switch is created in Hyper-V, the parent partition is given a virtual nic and attached to this virtual network switch.

    Therefore, if you create an external virtual network, the physical NIC is taken from the host, attached to a virtual network switch, then a port on that virtual network switch is plugged back into the host (this is a Microsoft Virtual Network Switch Adapter) and then when you modify the settings of a VM that VM is also plugged into a port of the virtual network switch.

    It is this Microsoft Virtual Network Switch Adapter that is givein tot he host by default that needs to be disabled.  As this is how an additional NIC is presented.  Thus multi-homing your host.

    This is default behavior and MSFT is fully aware that it is confusing and it is changing.

    In R2 you will be able to manage this behavior on an External Network Switch with a simple check box.

    (this is a topic that is extremely popular in this forum).


    Brian Ehlert (hopefully you have found this useful)
    • Marked as answer by Fabri_Fabri Thursday, June 18, 2009 9:10 AM
    Wednesday, June 17, 2009 2:57 PM
    Moderator

All replies

  • Assuming that you ran IPCONFIG at a command prompt on the Hyper-V host..

    You need to disable the NIC labeled "Ethernet adapter Local Area Connection 2"

    Here is the behavior:
    When an external (or internal) virtual network switch is created in Hyper-V, the parent partition is given a virtual nic and attached to this virtual network switch.

    Therefore, if you create an external virtual network, the physical NIC is taken from the host, attached to a virtual network switch, then a port on that virtual network switch is plugged back into the host (this is a Microsoft Virtual Network Switch Adapter) and then when you modify the settings of a VM that VM is also plugged into a port of the virtual network switch.

    It is this Microsoft Virtual Network Switch Adapter that is givein tot he host by default that needs to be disabled.  As this is how an additional NIC is presented.  Thus multi-homing your host.

    This is default behavior and MSFT is fully aware that it is confusing and it is changing.

    In R2 you will be able to manage this behavior on an External Network Switch with a simple check box.

    (this is a topic that is extremely popular in this forum).


    Brian Ehlert (hopefully you have found this useful)
    • Marked as answer by Fabri_Fabri Thursday, June 18, 2009 9:10 AM
    Wednesday, June 17, 2009 2:57 PM
    Moderator
  • Thanks Brian, I appreciate very much your help and your time.

    I disabled and it works.

    Do you know if when I'll create another external network in the future, the microsoft virtual switch will be enabled or created another one ?

    Thanks.
    Thursday, June 18, 2009 9:10 AM