Enable RSS on all Virtual Machines with PowerShell #vRSS #Hyper-V

Hello Folks,

In Windows Server 2012 R2, Microsoft works to improve networking workloads inside the Virtual Machine, because back in Windows Server 2012 we had a bottleneck inside the Host limited to one Core and bottleneck inside the VM again limited to one Core, so we need to expand that out and have a Virtual Machine being able to use multiple Cores in the host and inside the VM, therefore Microsoft introduced a new feature in Windows Server 2012 R2 called Virtual Receive Side Scaling (vRSS).

With vRSS, we are now able to turn RSS On inside the VM expanding to multiple Cores and that used just like would be in the physical Host so you can pretend that the VM as the physical Host, and as soon as you turn on RSS inside the VM, you automatically get spread inside the Host as well, so they introduced logically VMQ to actually spread from 1 Core up to 16 Cores.

If you like to deep dive in VMQ and RSS, here you go 3 part series VMQ Deep Dive.

Let’s see now vRSS in action:

I want to point out that the demoing VM that I am using has 8 Virtual Processors with one vNIC, and the host has 4 physical NICs 1GbE teamed with one CPU socket Quad Core.

With RSS turned off you can see that the network workload is using 1 Core only and the maximum network throughput is around 2Gbps.vRSS-00


So in order to eliminate that bottleneck of 1 CPU, with vRSS you jump into your VM setting the network adapter RSS to true, and now RSS is enabled on that machine and here is the result :)  

PS C:\Set-NetAdapterRss –Name * -Enabled $true

As you can see immediately the network throughput went from 2Gbps to 3.3Gbps, and all 8 VPs are active now.




The vRSS is able to expand the throughput to the VM from around 3Gbps all the way to 10Gbps on a 10Gbps Network Cards, Microsoft confirmed that it can go higher on throughput with 40Gpbs cards but the result is very depending on the CPU of the server.

The question that might come up… What if I have many Virtual Machines on that host, and I want to turn on RSS automatically on all VMs instead of logging into each VM and enable RSS?

The answer is WMI and PowerShell!

With the help of well-respected and fellow MVP Yusuf Ozturk @ http://www.yusufozturk.info/ ,I modified the following script that retrieves all VMs guest hostname from the Host and turn on RSS automatically J  it’s required to have Hyper-V 2012 R2.

function Get-VMGuestInfo
[CmdletBinding(SupportsShouldProcess = $true)]
param (
       Mandatory = $true,
       HelpMessage = 'Virtual Machine Name')]

       Mandatory = $false,
       HelpMessage = 'Hyper-V Host Name')]
   $HyperVHost = “localhost”,

       Mandatory = $false,
       HelpMessage = 'Debug Mode')]
   [switch]$DebugMode = $false

# Enable Debug Mode
if ($DebugMode)
$DebugPreference = “Continue”
$ErrorActionPreference = “silentlycontinue”

$VMState = (Get-VM -ComputerName $HyperVHost -Name $VMName).State
if ($VMState -eq “Running”)
filter Import-CimXml
$CimXml = [Xml]$_
$CimObj = New-Object -TypeName System.Object
foreach ($CimProperty in $CimXml.SelectNodes(“/INSTANCE/PROPERTY”))

if ($CimProperty.Name -eq “Name” -or $CimProperty.Name -eq “Data”)
$CimObj | Add-Member -MemberType NoteProperty -Name $CimProperty.NAME -Value $CimProperty.VALUE

$VMConf = Get-WmiObject -ComputerName $HyperVHost -Namespace “root\virtualization\v2″ -Query “SELECT * FROM Msvm_ComputerSystem WHERE ElementName like ‘$VMName’ AND caption like ‘Virtual%’ “
$KVPData = Get-WmiObject -ComputerName $HyperVHost -Namespace “root\virtualization\v2″ -Query “Associators of {$VMConf} Where AssocClass=Msvm_SystemDevice ResultClass=Msvm_KvpExchangeComponent”
$KVPExport = $KVPData.GuestIntrinsicExchangeItems
if ($KVPExport)

# Get KVP Data
$KVPExport = $KVPExport | Import-CimXml

# Get Guest Hostname
$VMHostname = ($KVPExport | where {$_.Name -eq “FullyQualifiedDomainName”}).Data
$VMHostname = “Unknown”
$VMHostname = “Unknown”

$Properties = New-Object Psobject
$Properties | Add-Member Noteproperty VMHostname $VMHostname
Write-Output $Properties

$VMs = Get-VM -ComputerName $HyperVHost
foreach ($VM in $VMs)
$VMName = $VM.Name
$VMHostName = (Get-VMGuestInfo -VMName $VMName -HyperVHost $HyperVHost).VMHostName
$Output = $VMHostName
Add-Content -Value $Output -Path C:\Temp\VMs.txt

# Get Domain Credentials
$cred = get-credential “Domain\User”

# Turn on RSS on all running Guests
Invoke-Command -ComputerName (Get-Content C:\Temp\VMs.txt) -Credential $cred -ScriptBlock {Set-NetAdapterRss –Name * -Enabled $true}

Give it a try and see how it works.

Enjoy your day!


Posted in Hyper-V, Network

Live Migration Comparison over TCP/IP, Compression, and SMB MultiChannel with Hyper-V 2012 R2

Hello Folks,

Need for speed? Well I have two Hyper-V beast clustered running on top of HP Proliant DL380p Gen8 servers with the following specs:

  • 2 Sockets, 8 Cores each @ 2.69GHz = 32 Logical processors
  • 8 X 1 Gbps NICs (leveraging Hyper-V Converged Network with Network teaming and QoS)
  • 256GB RAM
  • 2 X 400GB SSD Enterprise Mainstream

Where is the bottleneck in above specs? Sure enough the network bandwidth, we have only 8Gbps network pipe no 10GbE nor RDMA NICs :(

In order to measure the Live Migration speeds between different types of migration, I wrote a PowerShell script inspired by Ben Hyper-V Program Manager what he did in TechEd in the demo that does the following:

    • Configure the cluster to use 1 GbE team for Live Migration with TCP/IP
    • Live migrate a VM (time measured)
    • Configure the cluster to use 1 GbE team for Live Migration with Compression
    • Live migrate a VM (time measured)
    • Configure the cluster to use two 1 GbE NICs @ 2Gbps with SMB Multichannel Live Migration
    • Live migrate a VM (time measured)
    • Configure the cluster to use 1 GbE team for Live Migration with Compression again to Live Migrate the VM back to the original Node
    • Live migrate a VM (time measured)

Let’s get started…

1- Live Migrating a Virtual Machine with 8GB static RAM from WS2012 R2 to WS2012 R2 with TCP/IP:LVM_TCPIP

2- Live Migrating a Virtual Machine with 8GB static RAM from WS2012 R2 to WS2012 R2 with Compression

What is happening during the compression Live Migration?Compression


3- Live Migrating a Virtual Machine with 8GB static RAM from WS2012 R2 to WS2012 R2 with SMB MultiChannel 2X1Gbps :)

What is happening during the SMB Live Migration?SMBMultiChannel



What I observed during my test that:

  • TCP/IP: The network is used about 95% of 1 GbE NIC, the pipe is saturated during the migration with low CPU utilization @ 2%.
  • Compression: The network is used about 95% of 1 GbE NIC, the pipe is saturated during the migration, but the CPU utilization is higher now (as expected) @ 25% to 33%, but remember that Live Migration will switch to TCP/IP if compression is competing for resources with the host and Virtual Machines.
  • SMB Multichannel: Nearly 2 Gbps network throughput over the two standard NICs. SMB is the future :)

And the time taken for each Live Migration? LVM_Comparison

Enjoy your weekend!



Posted in Hyper-V

Create a Logical Network in Virtual Machine Manager 2012 R2

Hello Folks,

The logical networks in System Center Virtual Machine Manager represent an abstraction of the underlying physical network infrastructure, so it’s important your objects match the physical topology such as the correct IP and VLAN configuration. A network site in a logical network doesn’t have to reflect an actual physical location but rather a specific set of network configurations, thus will help to model the network based on business needs and connectivity properties.

Now after you defined the Logical Network, we have another network component in VMM known as VM Networks.

The Logical Network and VM Network act as a father and child relationship, because the goal for virtualization is to separate and abstract the logical networks from the VMs. This abstraction is achieved through the use of VM networks. When you use VM networks, the Virtual Machines have no idea of the underlying technology (e.g. VLANs, network virtualization) used by the logical network.

Confused?  :)   let’s summarize it before we move forward.

We have father and child relationship, the father is effectively the Logical Network, in a normal configuration that father has essentially children, those children are VLANs in the normal way of wording it you have VLAN part of different types of networks. Now, in order to deliver those children back to a Virtual Machines, we introduced a concept known as a VM Network (Virtual Machine Network), and each VM Network is essentially a new name for that child, so you define the child as a part of a Logical Network as a “Site”, you now take that and you presented to a Virtual Machines as a VM Network, so effectively giving him a life of his own by calling it a VM Network.

Let’s see now how can we create a step by step Logical Network…

1. Open Virtual Machine Manager Console, and click Connect. 2. Select the Fabric workspace. 3. On the navigation pane, expand Networking, and click Logical Networks.


4. In the upper left hand corner of the ribbon navigation, click Create | Create Logical Network.


5. In the Create Logical Network Wizard window, in the Name page, type Contoso LAN in the Name field.

6. Ensure that the One connected network radio button is selected, check the boxes for Allow new VM networks created on this logical network to use network virtualization and Create a VM network with the same name to allow virtual machines to access this logical network directly, and then click Next.


7. On the Network Site page, under Network sites click Add.

8. Contoso LAN_0 populates automatically in the pane.  Under Host groups that can use this network site select All Hosts.

9. Under Associated VLANs and IP subnets click Insert row, type the network subnet settings, and then click Next:

  • VLAN: 0
  • IP subnet:


10. The Summary page, review the settings, and then click Finish.


11. Review the completed jobs in the Jobs window, and then close the window. 12. In the Logical Networks and IP Pools pane, right-click Contoso LAN, and click Create IP Pool.


13. In the Create Static IP Address Pool Wizard, on the Name page, type Contoso LAN IP Pool in the Name field, ensure that the Logical Network selected is Contoso LAN, and then click Next.


14. On the Network Site page, ensure that the Use an existing network site radio button is selected, and then click Next.


15. On the IP address range page, change the Starting IP address to and the Ending IP address to, and then click Next. This will give us 91 usable IP addresses.


16. On the Gateway page, click Insert, enter the gateway IP Address, and then click Next.


17. On the DNS page, next to DNS server addresses in the order of use, click Insert, and type as the DNS Server address.  Next to DNS search suffixes to append (in order), click Insert, and type contoso.com, and then click Next.


18. In case you still have WINS server in your environment :) enter it here or leave the entry blank, and click Next.


19. On the Summary page, review the settings, PowerShell Script, and then click Finish.


20. Review the completed jobs on the Jobs screen as completed successfully, and then close the window. Here you go, we have created a Logical Network in VMM.

Enjoy your day!



Posted in Networking, System Center, Virtual Machine Manager

Isolate DPM Backup Traffic in Hyper-V

Hello folks,

As you know backup is very critical when it comes to virtualized environment.

In the traditional days, when you lose a server, you lose that particular server, however in server virtualization it’s not just another server, if you lose that host, you lose your entire infrastructure servers, and Hyper-V Cluster/Replica won’t protect you against data corrupting malware, unforced user errors, misbehaving applications, and updates that go awry…

My favorite backup component is System Center Data Protection Manager (DPM)…

Yes, it’s true there are many modern products out there for Hyper-V and VMware, and their preferred color is Green :) , but DPM protect all my physical and virtual workloads, including SQL, users files, Hyper-V Item-level recovery (ILR), etc… it’s awesome!

Let’s jump into the challenging piece on how to isolate DPM backup traffic and protect our Virtual Machines in Hyper-V.

The backup network for Hyper-V is not listed as requirement by Microsoft, but I strongly recommend to isolate the backup traffic from the host Management OS, and by leveraging the converged network in Hyper-V where combining multiple physical NICs with NIC teaming and QoS we can isolate each network traffic while maintaining resiliency as shown in below diagram:DPM-BNA00

Now how can we force DPM and Hyper-V to use that Backup vNIC from the Management OS?

Let’s jump to our DPM server and list the backup network address using PowerShell:

PS C:\Get-DPMBackupNetworkAddress


As you can see we don’t have any Backup Network set yet, by default DPM use the production network address.

Given the following scenario:

DPM.DEMO.com server Backup Address =

DPM.DEMO.com server Production Address =

HV01.DEMO.com server Backup Address =

HV01.DEMO.com server Production Address =

First, the prerequisites for backup network functionality are as the following:

DNS resolution on DPM server for the Protected Hyper-V Server should be able to resolve the backup IP (

DNS resolution on SQL Server for the DPM Server should be able to resolve the backup IP (

This will also work using the Host file since most likely the backup network will not have a DNS Server.

1- Add the FQDN and Backup NIC’s IP address of the DPM Server to the protected Hyper-V server under C:\Windows\System32\drivers\etc\hosts file. This forces the protected Hyper-V Server to communicate with the DPM server over the backup NIC (DPM.DEMO.com

2- Add the FQDN and Backup NIC’s IP address of the protected Hyper-V Server to the DPM server under C:\Windows\System32\drivers\etc\hosts file. This forces the DPM server to communicate with the protected Hyper-V Server using the backup NIC (HV01.DEMO.com

Second, now that we have the Backup NIC is set, the backup subnet address and mask should be configured on the DPM Server through Add-BackupNetworkAddress PowerShell cmdlet.

PS C:\Add-BackupNetworkAddress -DpmServername DPM -Address -SequenceNumber 1

PS C:\Add-BackupNetworkAddress -DpmServername DPM -Address -SequenceNumber 2


(Note that you also need to configure the production network as a 2nd backup network for a fallback plan and also for protected servers that are not configured with a backup network).

Last, DPM Agents (DPM and Protected Servers) should be restarted to ensure that the backup network settings are in effect. (Stop any active backup jobs, then run net stop DPMRA / net start DPMRA on both DPM and Protected Server).


Now run the backup jobs and notice the backup traffic flow now :)

Hyper-V Server:DPM-BNA05

DPM Server:DPM-BNA04

To list the configured backup networks use:

PS C:\Get-DPMBackupNetworkAddress -DpmServername <DPM> 

To Remove backup networks use:

Ps C:\Remove-DPMBackupNetworkAddress -DpmServername <DPM> -Address

For more information on how to Improve performance with backup network address Read this Microsoft Article.

Last but not least, by keeping the backup traffic off your production network allows you more bandwidth without having to wait for off working hours to get backups of your data, but this does not mean that you will not see potential performance issues as the servers are backed up, but the impact will be much less especially when you isolate the backup traffic as described above and throttle the network bandwidth of your servers.DPM-BNA06


Until next time… Enjoy your day!


Posted in Data Protection Manager, System Center

TechEd 2014: Hyper-V Sessions!

Hello Virtualization lovers,

Here are TechEd 2014 Hyper-V Sessions, stay tuned :)

       Date                                     Title

  • May 14 5:00 PM – 6:15 PM DCIM-B217 How Windows Admins Manage Linux with Windows Server 2012 R2 Hyper-V and Microsoft System Center 2012 R2
  • May 15 2:45 PM – 4:00 PM DCIM-B219 Secure Design and Best Practices for Your Private Cloud
  • May 13 1:30 PM – 2:45 PM DCIM-B292 Cisco Technology Trifecta for Cloud OS
  • May 12 3:00 PM – 4:15 PM DCIM-B313 Best Practices for Virtualizing and Managing Microsoft SharePoint 2013 with Microsoft System Center 2012 R2 and Windows Server 2012 R2
  • May 12 1:15 PM – 2:30 PM DCIM-B314 Extend Datacenter Networking with Partner Solutions
  • May 12 1:15 PM – 2:30 PM DCIM-B319 Building a Backup Strategy for Your Private Cloud
  • May 12 4:45 PM – 6:00 PM DCIM-B322 Implementing Enterprise-Scale Disaster Recovery with Windows Azure Hyper-V Recovery Manager, Network Virtualization and Microsoft System Center 2012 R2
  • May 12 4:45 PM – 6:00 PM DCIM-B323 Building a Real-World Hybrid Cloud with Seamless Application Portability
  • May 14 10:15 AM – 11:30 AM DCIM-B331 Migrating to Hyper-V Using the Microsoft Virtual Machine Converter Tool
  • May 13 3:15 PM – 4:30 PM DCIM-B337 File Server Networking for a Private Cloud Storage Infrastructure in Windows Server 2012 R2
  • May 14 1:30 PM – 2:45 PM DCIM-B356 Running Linux and FreeBSD on Windows Server Hyper-V: What You Need to Know
  • May 14 3:15 PM – 4:30 PM DCIM-B360 Key Metric, Performance, and Capacity Monitoring Using Microsoft System Center 2012 R2 Operations Manager
  • May 15 8:30 AM – 9:45 AM DCIM-B364 Step-by-step to Deploying Microsoft SQL Server 2014 with Cluster Shared Volumes
  • May 15 8:30 AM – 9:45 AM DCIM-B365 Understanding Hyper-V Network Virtualization: Demo Extravaganza
  • May 15 2:45 PM – 4:00 PM DCIM-B373 How IPv6 Impacts Private Cloud Deployments
  • May 15 10:15 AM – 11:30 AM DCIM-B377 Building Disaster Recovery Plans for Microsoft Workloads and Applications with Hyper-V Recovery Manager and Desired State Configuration
  • May 12 4:45 PM – 6:00 PM DCIM-B378 Converged Networking for Windows Server 2012 R2 Hyper-V
  • May 14 5:00 PM – 6:15 PM DCIM-B380 What’s New in Windows Server 2012 R2 Hyper-V?
  • May 13 1:30 PM – 2:45 PM DCIM-B395 Building a Web-Scale Private Cloud (Without Losing Your Cool)
  • May 13 8:30 AM – 9:45 AM DCIM-B412 Effortless Migration from VMware to Windows Server 2012 R2 Hyper-V
  • May 15 1:00 PM – 2:15 PM DCIM-B421 Delivering Disaster Recovery Solutions Using Windows Server 2012 R2, Microsoft System Center 2012 R2 and Windows Azure
  • Date & Time not scheduled yet! DCIM-H201 Introduction to Microsoft Virtualization, Part 1: Host Management
  • Date & Time not scheduled yet! DCIM-H202 Introduction to Microsoft Virtualization, Part 2: Virtual Machine Management
  • Date & Time not scheduled yet! DCIM-H304 Constructing Your Private Cloud with Windows Server and Microsoft System Center, Part 1
  • Date & Time not scheduled yet! DCIM-H305 Constructing Your Private Cloud with Windows Server and Microsoft System Center, Part 2
  • Date & Time not scheduled yet! DCIM-H321 Windows Server 2012 R2: Introduction to Failover Clustering with Hyper-V
  • Date & Time not scheduled yet! DCIM-H322 Exploring Virtualization with Windows Server 2012 R2 Hyper V
  • May 14 3:15 PM – 4:30 PM DCIM-IL301-R Constructing Your Private Cloud with Windows Server and Microsoft System Center, Part 1 (repeated from May 13 at 3:15 pm)
  • May 15 8:30 AM – 9:45 AM DCIM-IL302 Constructing Your Private Cloud with Windows Server and Microsoft System Center, Part 2
  • May 13 10:15 AM – 11:30 AM DCIM-IL303-R Exploring Virtualization with Windows Server 2012 R2 Hyper V (repeated from May 12 at 4:45 pm)
  • May 14 1:30 PM – 2:45 PM DCIM-IL303-RR Exploring Virtualization with Windows Server 2012 R2 Hyper V (repeated from May 12 at 4:45 pm)
  • May 12 3:00 PM – 4:15 PM DCIM-IL308 Windows Server 2012 R2: Introduction to Failover Clustering with Hyper-V (repeats on May 13 at 1:30 pm)
  • May 13 1:30 PM – 2:45 PM DCIM-IL308-R Windows Server 2012 R2: Introduction to Failover Clustering with Hyper-V (repeated from May 12 at 3pm)
  • May 15 2:45 PM – 4:00 PM PCIT-B337 Advanced VDI Optimization
  • May 15 2:45 PM – 4:00 PM PCIT-B341 Upgrading Active Directory the Safe Way: Using Virtualization Technologies
Posted in Hyper-V

Understanding Processor, NUMA, Core, Logical Processor and Virtual Processor in Hyper-V

  • The Processor or  Socket is one physical processor, the one that you can see on the motherboard, so which can consist of one or more nodes. A physical processor is the same as a socket, or a CPU.
  • Now, within the Processor, you have the NUMA nodes. The NUMA node is set of logical processors that has cache or memory that are close to one another.
  • The NUMA node contains cores, and the core is the processing unit, it’s the physical core within the NUMA node.
  • If you heard about Hyper-threading sure you did, HT is the Logical Processor, and the Logical Processor is not a physical processor. The LP is a thread, you can think of it as a logical computing engine.
  • Now we come to the virtualization layer, inside the Virtual Machine you have virtual processors, and the virtual processors are different from logical processors, they don’t met 1 to 1 to a physical processor, the Virtual Processors get time slices and which then get scheduled by the hypervisor. You can have your VP (Virtual Processors) be scheduled on multiple LP (Logical Processors) inside the Hyper-V host.
  • Processor, NUMA, Core, LP and VP

    Posted in Hyper-V

    There was an error during move operation: Data error (cyclic redundancy check) (’0×80070017′)

    Hello Folks,

    Let’s continue the migration project from Hyper-V 2012 to 2012 R2, if you didn’t read my previous posts, you can find them here Post1 and Post2 .

    Very simple migration process from Hyper-V 2012 Host to another Hyper-V 2012 R2 Host using Cross-Version (Shared Nothing) Live Migration.

    Another issue that I came across while moving a particular VM with the following error: Data error (cyclic redundancy check) (’0×80070017′)!


    Mummm interesting, Data error for a specific Virtual Hard Disk.

    This Virtual Machine has two Virtual Hard Disks, one under IDE controller and the second one under SCSI controller:


    Let’s compare and check the report if there are any incompatibilities between Host A and Host B using Compare-VM cmdlet.

    What Compare-VM does? a PowerShell equivalent of the fix-up GUI wizard you can use before you register, import or move a Virtual Machine.

    You can read more about it here explained in details by Mr. Ben Hyper-V Program Manager.


    As you can see a lovely nice error shows that the Virtual Hard Disk File not found :) and the VM is still happily running on Host A.

    We will try to check the disk for the guest OS (VM):


    Try to move the VM again, but unfortunately still the same error:


    This Virtual machine has a Dynamic Virtual Hard Disk, is it could be broken?

    Let’s try to shrink and convert the Dynamic .vhdx to a Fix virtual disk.




    Start the conversion, and here another error (Failed to convert the virtual disk) with the same Data error.


    What we left off is to check the physical disk for that host where the Virtual Hard disk is located:


    Ohhhh! very interesting we have bad sectors on the physical disk as we can see for two different virtual machines.

    Attempt to move the VM again and we succeeded this time :)


    So let’s finalize the migration for all Virtual Machines on that host before a freak bad sector strikes or hard drive failure.

    Hope this will help someone facing the same issue.

    Until next time… Enjoy your day!


    Posted in Hyper-V

    Monitor Your Hyper-V Server with Perfmon View

    Hello Folks,

    In today’s quick post, we will monitor our Hyper-V host using Perfmon.

    As you know Performance Monitor aka (Perfmon) is a system monitoring program built-in into Windows since Win NT, … it has been developed over the years to include all applications workload.

    So let’s dig dive and see how to monitor our Hyper-V host…

    Kick-off mmc console and choose Performance monitor:


    Right click and +Add Counter


    Add the following counters:

    - Hyper-V Dynamic Memory Balancer\Available Memory *
    - Hyper-V Dynamic Memory VM\Average Pressure *
    - Hyper-V Hypervisor Logicol Processor\%Total Run Time *
    - Hyper-V Hypervisor Root Virtual Processor\%Total Run Time *
    - Hyper-V Hypervisor Virtual Processor\%Total Run Time *
    - Hyper-V Virtual Network Adapter\Bytes/sec
    - Memory\Available MBytes *
    - Network Adapter\Bytes Total/sec *
    - Physical Disk\Avg. Disk Bytes/Read *
    - Physical Disk\Avg. Disk Bytes/Write *
    - Physical Disk\Avg. Disk Read Queue Length *
    - Physical Disk\Avg. Disk Write Queue Length *


    Change the output from Line/Histogram bar to Report and enjoy the Realtime monitoring.


    Don’t forget to save the counters as (Hyper-VMonitor.msc) so you can fire the Realtime monitoring counters at any time.

    Hope this has been useful.

    Until next time, enjoy your weekend!




    Posted in Hyper-V, Monitoring

    Hyper-V Virtual Switch Extended Port ACL’s In Action

    Hello Folks,

    In today’s post we will deep dive into Extended Port Access Lists in Hyper-V 2012/R2.

    For those who are new to this feature, Port ACL is a rule that you can apply to a Hyper-V virtual switch (Per VM or Per Virtual Network Adapter).
    The rule specifies whether a packet is allowed or denied on the way into or out of the VM. ACLs in Hyper-V 2012 have three elements only with the following structure: Local or Remote Address | Direction | Action. This allows to control traffic between VMs or between VMs and the physical world.

    In Hyper-V 2012 R2 the Hyper-V team extended that feature and now you can configure port ACLs for a VM based on five attributes in a packet – Source IP, Destination IP, Protocol, Source Port, and Destination Port.
    For example: You can configure port ACLs for a VM to allow all incoming and outgoing HTTP traffic on port 80, while blocking the network traffic of all other protocols on all ports.

    Let’s see this networking feature in Action…

    Here our scenario environment for this demo:

    HV Extended ACL

    Note: To configure port ACL, we need to use PowerShell folks, NO GUI :)

    So Let’s get started…

    First, we need to check the connectivity from all users machine (Between VM and the External World) using the new SuperPing cmdlet…

    #From Account Users:



    Connection is succeeded to both Virtual Machines as expected, the Account Server is a Web Server listening on port 80 and the RemoteApp Server is an RDS Session Host listening on port 3389…

    #From Front Desk Users:



    The connection is good as well as from the Front Desk users subnet, sure enough the RDS-RemoteAppSRV VM is failing to connect on port 80 since it’s not a Web Server.

    Second, we need to check the connectivity between Virtual Machines on the same physical host…

    #From Account-AppSRV:


    #From RDS-RemoteAppSRV:


    As you can see the connectivity is True between the two VMs as well.

    Based on our scenario described above, here are our security policies that we need to enforce:

    Rule #1:

    • The Account Users must able to access the Account WebServer using HTTP only
    • The Account Users must not able to access the RemoteApp Server at all

    Rule #2:

    • The Front Desk Users must able to access the RemoteApp Server using RDP only
    • The Front Desk Users must not able to access the Account WebServer at all

    Rule #3:

    • The Account Server must not able to access the RemoteApp Server using RDP Protocol and vice versa
    • The RemoteApp Server must not able to access the Account WebServer using HTTP

    So let’s start applying those security policies and see the results…

    Here we are on our Hyper-V box:

    First, we need to check if we have any pre-existing Access Rule applied:


    No Rules….

    If you are a networking or Cisco guy, this might look familiar to you, like kind of PowerShell version of an ACL command line :)

    1- Add-VMNetworkAdapterExtendedAcl –VMName “ACCOUNT-APPSRV” –Action “Deny” –Direction “Inbound” –Weight 1

    2-  Add-VMNetworkAdapterExtendedAcl –VMName “RDS-RemoteAppSRV” –Action “Deny” –Direction “Inbound” –Weight 1

    3- Add-VMNetworkAdapterExtendedAcl –VMName “ACCOUNT-APPSRV” –Action “Allow” –Direction “Inbound” –RemoteIPAddress –Weight 20

    4- Add-VMNetworkAdapterExtendedAcl –VMName “ACCOUNT-APPSRV” –Action “Allow” –Direction “Inbound” –RemoteIPAddress –Weight 30

    5- Add-VMNetworkAdapterExtendedAcl –VMName “ACCOUNT-APPSRV” –Action “Allow” –Direction “Inbound” –RemoteIPAddress –Weight 40

    6- Add-VMNetworkAdapterExtendedAcl –VMName “RDS-RemoteAppSRV” –Action “Allow” –Direction “Inbound” –RemoteIPAddress –Weight 20

    7-  Add-VMNetworkAdapterExtendedAcl –VMName “RDS-RemoteAppSRV” –Action “Allow” –Direction “Inbound” –RemoteIPAddress –Weight 30

    8- Add-VMNetworkAdapterExtendedAcl –VMName “RDS-RemoteAppSRV” –Action “Allow” –Direction “Inbound” –RemoteIPAddress –Weight 40

     9- Add-VMNetworkAdapterExtendedAcl –VMName “ACCOUNT-APPSRV” –Action “Allow” –Direction “Inbound” –RemoteIPAddress –LocalPort 80 –Protocol “TCP” –Weight 100 -Stateful $True

    10- Add-VMNetworkAdapterExtendedAcl –VMName “RDS-RemoteAppSRV” –Action “Allow” –Direction “Inbound” –RemoteIPAddress –LocalPort 3389 –Protocol “TCP” –Weight 100 -Stateful $True

    Let’s explain above commands in a nutshell.

    The Add-VMNetworkAdapterExtendedAcl cmdlet creates an extended access control list (ACL) for a VM virtual network adapter. The ACL allows or denies access to a virtual machine network adapter for network packets based on source IP address, destination IP address, protocol, source port, and destination port.

    The first two commands denies all inbound traffic for both VMs. The third to eighth rule allows traffic between the Virtual Machines and our DNS Server/Gateway in order to communicate with our Active Directory and to route between different subnets as well.

    Notice that all commands have a weight number and the last command has a weight of 100. Commands with higher weight take precedence (a weight of 100 takes precedence over a weight of 40, 30, 20 and 1).

    The last two rules, is to allow the Account Users subnet to connect to the Account-AppSRV VM using HTTP protocol and to allow the Front Desk Users to connect to the RDS-RemoteAppSRV VM using RDP protocol.

    Note: If we are applying the rule in Outbound direction, we need to use RemotePort instead of LocalPort.

    Let’s check now the connectivity after applying above rules:

    #From Account Users:



    As you can see, the Account Users are able to access the Account Web Server using HTTP, but nothing else and they cannot reach the RDS RemoteApp server too.

    #From Front Desk Users:



    Here the Front Desk users are not able to reach the Account Web Server, but they can connect to the RDS RemoteApp server only.

    #From Account-AppSRV:


    No connectivity between the Account-AppSRV and the RDS-RemoteAppSRV as expected :)

    #From RDS-RemoteAppSRV:


    No connectivity as well from the RDS-RemoteAppSRV and the Account-AppSRV… Bingo!

    The other piece that we have with Extended ACL is Stateful support, like a stateful firewall.

    We can say, when we see an inbound connection coming on port 80, it will watch that inbound connection and automatically open the source port on the other side just for a period of time that’s needed to communicate through that inbound session.

    We can associate timeouts with that Stateful session as well, so after certain period of time we can close that Stateful connection using the -Timeout flag value defined in seconds.

    Here you can read more on Microsoft TechNet about Extended Port Access Control Lists in Hyper-V 2012 R2

    Until this point of time, the Hyper-V Extensible switch cannot do traffic inspection of the payload, but that’s why the big role of the Extensible Virtual Switch comes into play with Cisco NEXUS 1000V, NEC or Five9 partners…

    Until next time… Enjoy your Weekend!



    Posted in Hyper-V, Network

    5nine Cloud Security 4.0 NEW for Hyper-V Released

    #1 Agentless Security and Compliance Solution for Hyper-V

    5nine Cloud Security for Hyper-V is the first and only agentless complete security and compliance solution built specifically for Microsoft Cloud OS and Hyper-V, utilizing the extensibility of Hyper-V switch. It allows users to:

    • Secure  multi-tenant Hyper-V environment and provide VM isolation
    • Protect Hyper-V with fast, agentless antivirus
    • Enforce PCI-DSS, HIPAA and Sarbanes-Oxley compliance
    • And more.

    Multi-layered protection is provided, with an integrated firewall, antivirus and Intrusion Detection System (IDS). The agentless firewall ensures complete traffic control and isolation between VMs. The antivirus performs incremental scans up to 50x faster and IDS proactively detects malicious attacks.


    1- Secure multi-tenant Hyper-V environment

    Whether you are a hosting provider or a business, rest assured that multiple tenants in your virtual network have access to all required resources, all while being absolutely isolated and protected from each other.

    2- Provide Hyper-V VM isolation

    With the Hyper-V environment, the system faces new types of security threats. 5nine Cloud Security allows you to protect your virtual machines from any internal and/or external network security breach.

    3- Protect Hyper-V with agentless antivirus

    5nine Cloud Security provides unique agentless antivirus technology for Hyper-V that allows saving CPU resources and increasing VM density by up to 30%. As a result, it leads to a reduction of capital expenditure on physical infrastructure.

    4- Enforce Hyper-V compliance

    5nine Cloud Security will provide the required level of protection for all Hyper-V networks in order to be compliant with PCI-DSS, HIPAA or Sarbanes-Oxley security standards.

    5- And more

    Would you like to know more about powerful security and compliance instruments of 5nine Cloud Security for Hyper-V? Then feel free to proceed to the Trial Edition.

    Posted in Hyper-V, Security

    Get every new post on this blog delivered to your Inbox.

    Join other followers: