Mark Minasi's Tech Forum
Sign up Calendar Latest Topics
 
 
 


Reply
  Author   Comment   Page 2 of 2      Prev   1   2
cj_berlin

Avatar / Picture

Senior Member
Registered:
Posts: 300
Reply with quote  #16 
Quote:
Originally Posted by Michael Pietrzak
Wow, thank you everyone for all the great info! I am reading up on HyperV networking now....

My boss and I have a meeting with the security officer next week.

My final question is, if you don't mind...

What can you do "upstream" so to speak that would allow traffic on the pNic but deny traffic originating from the source guest that is configured to use a virtual switch bound to that pNic?

Is he firewalling the pNIC in some fashion?


Michael,

Once a pNIC is bound to a vSwitch, there is no more traffic on that pNIC except from vNICs. Those are either bound to a VM and get MAC addresses from the pool, or they are bound to the Management OS and inherit the MAC from the pNIC.

So he can say to the upstream switch 'only this one MAC may send or receive on this port' upon which your VM cannot communicate over that pNIC. But he cannot prevent VMs on the same vSwitch from communicating with each other,

__________________
Evgenij Smirnov

My personal blog (German): http://www.it-pro-berlin.de/
My stuff on PSGallery: https://www.powershellgallery.com/profiles/it-pro-berlin.de/
0
Michael Pietrzak

New Friend (or an Old Friend who Built a New Account)
Registered:
Posts: 56
Reply with quote  #17 
Hmmmm, so this is confusing. I originally had the pNic and the guest nic configured with the same IP, subnet and gateway. The vSwitch was setup to use this pNic.

I could never get the guest to reach any network resources (or get to the internet) and there was the yellow exclamation point next to the nic icon in the OS.

But when I would open my browser and try google or any other website, the security guy said he could see the traffic.

If a pNic and virtual nic cannot have the same IP info, how could he see the traffic?

0
cj_berlin

Avatar / Picture

Senior Member
Registered:
Posts: 300
Reply with quote  #18 
Michael,

you are most definitely confusing the pNIC and the vNIC bound to Management OS. Here's one of my lab servers:

  hvnic1.png 

On the pNIC, TCP/IP is unbound:
hvnic2.png 

If you try to configure it (check the box and click Properties) you get:
hvnic3.png 
On the vNIC bound to Management OS, you can configure whatever you like in terms of TCP/IP, but it's still virtual.

If, however, you give the Management OS and a VM the same IP address, you have the same situation as if you give two physical computers on the same LAN the same IP address: Only one can communicate, and you cannot predict with certainty which one it will be.


__________________
Evgenij Smirnov

My personal blog (German): http://www.it-pro-berlin.de/
My stuff on PSGallery: https://www.powershellgallery.com/profiles/it-pro-berlin.de/
0
Michael Pietrzak

New Friend (or an Old Friend who Built a New Account)
Registered:
Posts: 56
Reply with quote  #19 
Okay great. I have a dedicated pNic for the OS, but I also had that "use for management" check box on the pNics (vswitch) reserved for the guests. I will follow your setup. It's a 30 minute walk one way across campus so my reply may take a bit.

Thanks!!
0
cj_berlin

Avatar / Picture

Senior Member
Registered:
Posts: 300
Reply with quote  #20 
Michael,

you shouldn't 'follow my setup' as that tiny server only has one NIC so I had no choice but to use it for VM traffic AND management.

You should uncheck 'share this NIC with management ' on all vSwitches except the one where your management pNIC is bound. If you didn't bind the management pNIC to a vSwitch, it would be all external vSwitches ;-)

__________________
Evgenij Smirnov

My personal blog (German): http://www.it-pro-berlin.de/
My stuff on PSGallery: https://www.powershellgallery.com/profiles/it-pro-berlin.de/
0
Michael Pietrzak

New Friend (or an Old Friend who Built a New Account)
Registered:
Posts: 56
Reply with quote  #21 
Right, I was using your example to double check my work....

Soooo, more confusion...

In a previous post you said that when the vswitch is bound to the pnic, all traffic for that pnic stops and is turned over to the vswitch and any guests using it.

But I was able to RDP into my server on the pNic that is bound to my vSwitch. The check box "Allow management operating system to share...." is NOT checked.

I confirmed that I could telnet on 3389 and connect to it via RDP. I thought I shouldn't be able to since the vSwitch takes over?
0
cj_berlin

Avatar / Picture

Senior Member
Registered:
Posts: 300
Reply with quote  #22 
How do you know it was the pNIC? Which NIC carries the IP you were using to connect? Has ARP caught on and does it resolve the correct MAC to the IP?

And no, I didn't say the traffic stops, only that it doesn't originate on the pNIC itself but rather on a vNIC bound to the same vSwitch.

__________________
Evgenij Smirnov

My personal blog (German): http://www.it-pro-berlin.de/
My stuff on PSGallery: https://www.powershellgallery.com/profiles/it-pro-berlin.de/
0
Michael Pietrzak

New Friend (or an Old Friend who Built a New Account)
Registered:
Posts: 56
Reply with quote  #23 
Sorry all, I really had to step away from the project for a bit and read up, take a deep breath, and work on some other projects for a bit.

I removed the server from the campus server room that was seemingly causing the issues and moved it back to my deparments server room and after addressing everything. I am good.

Sadly, I am not receiving "sconfig.vbs(762, 21) SWbemObjectEx: Invalid Index" why I try to make any changes. I read some articles that stated (696, 21) was related to disabling IPv6 but I have not found anything for that error code.

Ugh. Might just reinstall Windows in a day or two.
0
Michael Pietrzak

New Friend (or an Old Friend who Built a New Account)
Registered:
Posts: 56
Reply with quote  #24 
If anyone reads this...quick question. I am trying to figure out if my 2016 server core OS is broken or if this is by design...

After creating a vSwitch on the host using and binding it to second pNic (and configuring guest to use this vSwitch)...Should the host OS also simultaneously created a virtual nic?

I did NOT mark this vSwitch to "allow management OS to use this connection"?

I am watching some videos and they all show a virtual ethernet adapter that is only using (bonded) to the "HyperV Extensible Virtual Switch" and everything else is unchecked.

When I run Get-AdapterBindings, I do not see a virtual NIC. 


0
Previous Topic | Next Topic
Print
Reply

Quick Navigation:

Easily create a Forum Website with Website Toolbox.