What is an internal virtual switch

December 23, 2020
Last updated on May 13, 2022

The functionality of a virtual switch is to connect different segments of a network—it’s quite similar to that of an Ethernet switch, with added security controls provided specifically for virtual environments. A virtual switch differs from a hub in that it does not broadcast data packets across all ports. Instead, it filters and forwards selective data traffic based on the media access control (MAC) addresses, decreasing the overall network response time. 

 In this article, we will explain the features offered by a Hyper-V virtual switch and explain use cases where a Hyper-V virtual switch is used. 

Hyper-V Virtual Switch Definition

In a Hyper-V infrastructure, a Hyper-V virtual switch is basically the software counterpart for an Ethernet network switch. It is available by default in the Hyper-V Manager in a Hyper-V host. It provides powerful security features to isolate network segments and inspect and control data traffic. Being software-based, a Hyper-V switch is highly configurable, and its features can be extended through plugins called Virtual Switch Extensions, allowing third-party vendors to add to its functionality and enhance its security features and networking capabilities. It can enable you to enforce your organization’s security policy and ensure adherence to service-level agreements (SLAs).

Hyper-V Virtual Switch Functionality

The biggest benefit of its functionality is that, unlike physical switches, a Hyper-V one can be configured and managed programmatically. Its functionality and security features can also be extended through additional plugins, using the Network Device Interface Specification (NDIS) filters and Windows Filtering Platform (WFP).

A virtual switch can enhance the security of the Hyper-V environment by:

• Providing protection against Address Resolution Protocol (ARP) spoofing or Neighbor Discovery (ND) spoofing, in which a malicious VM can steal and impersonate the internet protocol (IP) address of legitimate VMs in the network.
• Protecting against man-in-the-middle attacks in which a malicious VM can present itself as a Dynamic Host Configuration Protocol (DHCP) server.
• Filtering data packets based on MAC addresses or IP addresses using port Access Control Lists (ACLs), allowing administrators to isolate network segments. In a multi-tenant environment, administrators can easily create isolated virtual local area networks (VLANs) inside a VLAN, allowing or preventing VMs from communicating with other VMs on a similar VLAN.
• Allows network administrators to monitor incoming and outgoing traffic.
• Supporting VLAN trunk mode, allowing a VM to see traffic from multiple VLANs.

There are several other benefits of a Hyper-V virtual switch, such as specifying minimum reserved bandwidth, capping maximum bandwidth for a VM, convenient traffic monitoring, and Explicit Congestion Notification (ECN) marking, which is used for notifying administrators before the switch’s buffer resources are consumed entirely.

Virtual Switch Types

The Hyper-V virtual switch can be configured to operate in three different modes:

• Private. A private virtual switch only allows communication between the VMs that are deployed on the same host. It does not allow VMs to communicate with the Hyper-V host or any network outside the Hyper-V host.
• Internal. A Hyper-V virtual switch configured in internal mode operates quite similarly to a private virtual switch, except that it also allows communication between the VMs and their Hyper-V host.
• External. An external virtual switch allows VMs deployed on a host to connect with the outside world. It is connected to the physical adapter installed on the Hyper-V host so that the VMs can connect with the physical network outside the Hyper-V host. It is also the most commonly used Hyper-V virtual switch mode.

Both private and internal switch modes are used strictly to isolate traffic. The traffic never leaves the virtual switch unless a router or a routing mechanism is in place. The virtual adapters cannot connect directly with adapters on other VMs; therefore, an external virtual switch connects with the physical adapter on the host machine to connect with the external physical network.

Hyper-V Virtual Switch Use Cases

Management Packages

Developers can implement management packages for querying the configuration settings, capabilities, and other network statistics for different ports for the Hyper-V virtual switch by using Windows Management Instrumentation (WMI). This allows network administrators to quickly glance at displayed statistics so they can stay updated on the state of the virtual switch.  

Allocation of Resources

Through it, network administrators can programmatically allocate resources to VMs and track bandwidth usage and VMs that are assigned Virtual Machine Queue (VMQ) or input/output virtualization (IOV) channels. A Hyper-V switch allows for resource tracking—monitoring the resources assigned to each VM as well as the resources currently in use. This functionality can be useful for hosting companies that offer different packages based on the required network performance.  

Security

Another use case involves security. Organizations often install extensions to the Hyper-V hosts for added security. The order of these extensions may change when updates are installed. But the Hyper-V virtual switch allows the administrators to run a script for restoring the original order after upgrading.  

An organization may utilize an extension for implementing networking policies, including VLAN ID management. In such a scenario, the Hyper-V virtual switch will hand over the task of VLAN management to the extension program. The program can use the WMI application programming interface (API) to turn on transparency, and the Hyper-V virtual switch will let the VLAN tags pass. 

The Main Features of a Hyper-V Virtual Switch

• Ethernet Frame Switching
  • The Hyper-V virtual switch is able to read the MAC addresses in an Ethernet packet and deliver it to the correct destination if it is present on the virtual switch.
• SR-IOV (Single Root I/O Virtualization)
  • SR-IOV requires compatible hardware, both on your motherboard and physical network adapter(s). When enabled, you will have the option to connect a limited number of virtual adapters directly to Virtual Functions — special constructs exposed by your physical network adapters.
• 802.1q VLAN, Access Mode
  • Virtual adapters for both the management operating system and virtual machines can be assigned to a VLAN. It will only deliver Ethernet frames to virtual adapters within the same VLAN, just like a physical switch.
• 802.1q VLAN, Trunk Mode
  • This setting applies only to individual network adapters. When you configure a virtual adapter in trunk mode, Hyper-V will pass allowed frames with the 802.1q tag intact. If the software in the virtual machine does not know how to process frames with those tags, the virtual machine’s operating system will treat the frames as malformed and drop them.
• 802.1p Quality of Service
  • 802.1p uses a special part of the Ethernet frame to mark traffic as belonging to a particular priority group. All switches along the line that can speak 802.1p will then prioritize it appropriately.
• Hyper-V Quality of Service
  • Hyper-V has its own quality of service for its virtual switch, but unlike 802.1p, it does not extend to the physical network. You can guarantee a minimum and/or limit the outbound speed of a virtual adapter when your virtual switch is in Absolute mode and you can guarantee a minimum and/or lock a maximum outbound speed for an adapter when your switch is in Weight mode.
• Extensibility
  • Microsoft publishes an API that anyone can use to make their own filter drivers for the Hyper-V virtual switch. For instance, System Center Virtual Machine Manager provides a driver that enables Hardware Network Virtualization (HNV). Other possibilities include network scanning tools.

Easily Manage VMs with Parallels RAS

Parallels® Remote Application Server (RAS) helps IT administrators manage VMs running on different hypervisors, including Microsoft Hyper-V and VMware ESXi, all under a single infrastructure. By doing so, Parallels RAS provides the flexibility required for leveraging the combined benefits of several hyperconverged infrastructure providers.

With Parallels RAS, administrators can easily deploy and manage a large pool of VMs. Administrators can utilize customized templates to deploy several guest VMs on the go. Administrators can monitor and manage all current virtual desktop infrastructure  (VDI) sessions through a desktop-based console as well as a web-based console.

Easily deploy and manage as many VMs as you wish on your preferred hypervisors!

Download the Trial