Blog Post

Failover Clustering
2 MIN READ

Deploying Network Load Balancing (NLB) and Virtual Machines on Windows Server 2008 R2

John Marlin's avatar
John Marlin
Former Employee
Mar 15, 2019
First published on MSDN on Jul 01, 2010

When running NLB as a Virtual Machine (VM) guest using Windows Server 2008 R2 Hyper-V you need to be aware of some specific configurations settings in Hyper-V host prior to configuring NLB.





In Hyper-V, the VM host prevents dynamic MAC address updates as an extra layer of security in the datacenter.  This is because the VM may have full administrator rights, yet it may be untrusted in the datacenter, for example when the VM hosting is provided by an independent hosting company.  In this scenario, we need to make sure that one VM cannot cause a DOS or information disclosure attack against another VM.  If a VM is able to spoof its MAC address, then it can spoof the MAC addresses of other VMs and impact other VMs on that host.  The physical switches have similar protections and it is up to the admin to enable that protection or not.





If you do not enable spoofing of MAC address prior to configuring NLB on the VM you could potentially have problems with the NLB cluster.





When configuring NLB in unicast mode on Hyper-V with enable spoofing of MAC Address disabled you may see some of the following symptoms:


·         When initially configuring NLB you will lose network connectivity on the network adaptor NLB was configured on.


·         There will be an NLB error event in the Windows Event Log stating that the network adaptor does not support dynamic MAC address updates.


·         After rebooting the server, NLB will appear to be bound to the network adapter, but the cluster VIP will not have been added to the network adaptor.


·         The cluster MAC address will still be the original MAC address associated with the network adaptor prior to configuring NLB.   Use CMD> ipconfig /all to view the MAC address.  It should start with "02-BF-***"


·         If you ignore all previous symptoms and manually add the VIP you could get an IP conflict if there are other nodes in the cluster that have the same VIP.




With that said, to allow VM guests to run NLB you need to set the VM property for "Enable spoofing of MAC Address".





To enable spoofing of MAC Addresses open the Hyper-V management console.  Make sure the VM is stopped open the properties of the VM.  Select the Network Adaptor for the NLB VM and check the "Enable spoofing of MAC Address" and click OK.  Then start the VM.







Thanks,
Gary Jackman
Software Test Engineer
Clustering & High-Availability
Microsoft

Updated Mar 15, 2019
Version 2.0
hyper v
network load balancing
NLB

1 Comment

Sort By
  • MamunAhmed's avatar
    MamunAhmed
    Copper Contributor
    May 19, 2023

    Excellent explanation.

    I was aware of this situation and how to fix it but I put out this challenge to one of my engineers as we use NLB in our environment (don't ask me why on earth we are on production) and he was struggling to figure out why NLB was not working in our HyperV setup using Server 2016 Datacenter.
    Thank you Gary for explaining as he was able to get it working with your guidance.