forwarding (VEPA) and
proprietary
network fabrics
Firewall/intrusion
detection
Filtering and modifying
TCP/IP packets,
monitoring or authorizing
connections, filtering
IPsec-protected traffic, and
filtering RPCs
Virtual firewall
and connection
monitoring
WFP callout driver
Multiple extensions can be enabled on a virtual switch, and the extensions are
leveraged for both ingress (inbound) and egress (outbound) traffic. One big change
from Windows Server 2012 is that in Windows Server 2012 R2, the Hyper-V Network
Virtualization (HNV) module is moved into the virtual switch instead of being
external to the virtual switch. This enables switch extensions to inspect both the
provider and customer headers and therefore work with network virtualization. (You’ll
learn more on this later, but for now: the provider header is the packet that enables
Network Virtualization to function across physical networks, and the customer header
is the IP traffic that virtual machines in a virtual network see.). The move of the
Network Virtualization module also enables third-party forwarding extensions such as
the Cisco Nexus 1000V to work with Network Virtualization, which wasn’t the case in
Windows Server 2012. And yes, Cisco has a Nexus 1000V for Hyper-V that works with
the Hyper-V switch instead of completely replacing it. This is important because many
organizations use Cisco networking solutions, and the Nexus 1000V enables unified
management of both the physical and virtual network environment through the Cisco
network management toolset.
The Windows Server 2012 R2 extensible switch also supports hybrid forwarding,
which allows packets to be forwarded to various forwarding agents based on the
packet type. For example, suppose the Cisco Nexus 1000V extension (a forwarding
agent) is installed. With hybrid forwarding, if network virtualization traffic is sent
through the switch, it would first go through the HNV module and then to the
forwarding agent, the Nexus 1000V. If the traffic was not network virtualization
traffic, the HNV module would be bypassed and the traffic sent straight to the Nexus
1000V.
Figure 3.3 best shows the extensible switch and the way that traffic flows through the
extensions. Notice that the traffic flows completely through all layers of the switch
twice; once inbound into the switch (which could be from a VM or from external
sources) and once outbound from the switch (which could be to a VM or to an
external source).