One of the keys to keeping a virtualization infrastructure secure and running smoothly is to isolate network traffic based on its function. For example, many organizations reserve a virtual network adapter specifically for management traffic so that management traffic does not have to share the same virtual network adapter as general purpose user traffic.
Of course there is more to separating out the different types of traffic than simply routing that traffic across separate virtual network segments. Each type of network traffic has its own security and bandwidth requirements. System Center Virtual Machine Manager (VMM) provides a framework that makes it possible to not only separate various types of traffic from one another, but also to apply constraints based on the traffic site. This is done through the use of logical switches and port profiles.
Let’s pretend for a moment that you wanted to reserve a specific network adapter for management traffic. In Hyper-V, physical network adapters get bound to virtual switches, but VMM allows you to take things a step further. You could create a logical switch, and then apply the Host Management port profile to that logical switch. From there, you would assign the logical switch to the virtual switch that is linked to the physical adapter.
VMM provides a number of prebuilt port profiles that you can use for various purposes. For example, the previously mentioned Host Management network adapter can be applied when the goal is to allow a port to be used for the management of a host. In contrast, the iSCSI Workload virtual port can be applied to adapters that will be used to establish iSCSI connectivity to SAN resources. You can see VMM’s collection of built-in port profiles in the figure below.
As you can see in the screenshot above, the port profiles are listed within the Networking section of the Fabric workspace. There are roughly about a dozen port profiles that are included with VMM by default.
Create your own custom-built port profiles
What might not be quite so obvious from the screen capture above is that VMM allows you to create your own custom-built port profiles. To do so, just right click on the Port Profiles container and then choose the Create Hyper-V Port Profile command from the short cut menu. You can see an example of this in the next figure.
Upon doing so, VMM will launch the Create Virtual Network Adapter Port Profile wizard. The wizard’s General screen, which is shown in the next screenshot, allows you to enter a name and a detailed description of the port profile that you are creating.
Virtual network adapter port profile or an uplink port profile?
This screen also requires you to choose the port profile type. You can opt to create a virtual network adapter port profile or an uplink port profile. All of the built-in port profiles are virtual. An uplink port profile allows you to implement load balancing and NIC teaming.
When you are done, click Next. If you are creating an uplink port profile, then you will be taken to a screen that prompts you to select the network sites that will be supported by the profile. Otherwise, if you are creating a virtual profile there will be several additional screens to work through. The remainder of this article is based around the creation of a virtual network adapter port profile.
With that said, the next screen that you will see is the Offload Settings screen, which you can see in the next figure. This screen allows you to choose which functions you wish to offload to the underlying hardware. For instance, you might opt to offload virtual machine queuing or IPSec encryption. Keep in mind that task offloading requires the host to be equipped with hardware that supports offloading.
Click Next, and you will be taken to the Security Settings screen, which is shown in the next figure. This is where you choose the security settings that you wish to apply to the port profile that you are creating. The appropriate selection will vary widely depending on what the port profile will be used for. For example, the Guest Dynamic IP Properties profile allows the use of guest specified IP addresses, while the SR-IOV port profile allows guest teaming. Incidentally, many of the built in port profiles do not have any security settings associated with them.
Click Next, and you will be taken to the Bandwidth Settings screen, which you can see in the next figure. As you would probably expect, this screen allows you to define a series of bandwidth limits for the port profile that you are creating. Specifically, you can define the minimum bandwidth (in Mbps), the maximum bandwidth (also in Mbps), and the minimum bandwidth weight.
Once you have defined any desired bandwidth allocations, click Next. Upon doing so, you will be taken to a summary screen that displays all of the settings that you have configured through the wizard. Take a moment to review these settings. If everything appears to be correct, then click Finish. When you do, VMM will create the new port profile.
Don’t forget the logical switch
Keep in mind that the port profile that you have created does not do anything by itself. In order to put your new port profile to work, you will need to create a logical switch, and then apply the port profile to the logical switch. It is also worth noting that creating a logical switch requires you to choose a port classification, which is different from a port profile. A port classification is just a classification, whereas a port profile applies security and bandwidth related configurations to the port.
Featured image: Pixabay