UPDATE: For the latest information on deploying Network Controller using VMM 2016, please see Deploy a Software Defined Network infrastructure using VMM in TechNet.
This article helps you evaluate the Software Defined Networking (SDN) features in Windows Server 2016 Technical Preview 4. In particular, it focuses on using System Center Virtual Machine Manager (VMM) 2016 Technical Preview 4 for deploying Network Controller , a new feature in Windows Server 2016. Network Controller is a scalable and highly available server role that enables you to automate the configuration of network infrastructure instead of performing manual configuration of network devices.
Before proceeding to deploy Network Controller, make sure that you have performed the following steps:
You need to create an Active Directory security group for Network Controller management. The group should be a Domain Local group. Members of this group will be able to create, delete, and update the deployed Network Controller configuration. You need to create at least one user account that is a member of this group and have access to its credentials.
You need to create an Active Directory security group for Network Controller clients. The group should be a Domain Local group. Once the Network Controller is deployed, any members of this group will have permissions to communicate with the controller via REST interface. You need to create at least one user account that is a member of this group. After the Network Controller is deployed, VMM can be configured to use this user account’s credentials to establish communication with the Network Controller.
You need an SSL certificate that will be used to establish secure communication (https) between VMM and Network Controller. There are two methods you can use to generate an SSL certificate: generate a self-signed certificate or use a Certificate Authority (CA).
The following example creates a new self-signed certificate, and can be run from a PowerShell command window on any computer running Windows Server 2016 Technical Preview. Make note of the names you use to create the certificate and use the same names when you deploy the Network Controller.
New-SelfSignedCertificate -KeyUsageProperty All -Provider "Microsoft Strong Cryptographic Provider" -FriendlyName "<YourNCComputerName>" -DnsName @("<YourNCFQDN>")
You can use the Certificates snap-in to manage your certificate. Click Start , type manage computer certificates and press Enter. A Certificates - Local Computer console starts, where you can find your Network Controller certificate under Personal , Certificates .
For Windows-based enterprise CA, follow the steps available here to request a CA-signed certificate. The certificate must include the serverAuth EKU, specified by the OID 22.214.171.124.126.96.36.199.1. In addition, the certificate Subject Name must match the DNS name of the Network Controller.
After requesting the certificate, use the Certificates snap-in to export it and its private key into a .pfx file. When exporting, choose Personal Information Exchange - PKCS #12 (.PFX) and accept the default to Include all certificates in the certification path if possible . The export wizard requires that you protect the private key by either a security or a password. Be sure to assign a password, as you will need it later during Network Controller deployment.
This share will be accessed by the Network Controller to store diagnostics information throughout its lifetime. Create a file share that can be accessed by the Network Controller. You may also optionally assign access permissions for the share to a specific domain user account. Store the username and password for this account which will be used later during Network Controller deployment.
This section covers the setup require for deploying the Network Controller.
The following test topology is designed to allow you to evaluate the SDN features on a small hardware footprint without requiring a large test bed. You can deploy this topology if you want but it’s not required. It is just a guide to help you understand the pieces that are required to deploy an SDN fabric and how they fit together. We assume that you already have VMM 2016 Technical Preview 4 installed with a few hosts under management.
The topology to deploy Network Controller consists of three physical hosts, one virtual machine for Network Controller, and two tenant virtual machines that will be used for Network Controller deployment validation.
|Host||Hardware Requirements||Software Requirements|
|Host 1 : Infrastructure Host||2 x 1Gb physical network adapter||Windows Server 2016 Tech Preview|
|Host 2 : VM Host||2 x 1Gb physical network adapter||Windows Server 2016 Tech Preview|
|Host 3 : VM Host||2 x 1Gb physical network adapter||Windows Server 2016 Tech Preview|
|Virtual Machine||Software Requirements|
|Network Controller Virtual Machine||Windows Server 2016 Technical Preview 4 (VHD)|
|Tenant VM 1||Windows Server 2016 Technical Preview 4 (VHD)|
|Tenant VM2||Windows Server 2016 Technical Preview 4 (VHD)|
The physical network must be configured so that the following networks are available. Subnets and VLAN IDs are examples and can be customized for your environment:
|Network Name||Subnet||Mask||VLAN ID on trunk||Gateway|
|Management : The subnet that connects VMM with NC Host and VM Hosts.||10.60.34.0||24||NA||10.60.34.1|
|Backend : Subnet for the Provider Addresses. Needed to validate the Network Controller deployment.||10.60.33.128||25||11||10.60.33.129|
Active Directory and DNS must be reachable from these subnets.
The Management logical network models the Management network connectivity for the VMM host, NC host, and VM hosts. To create the Management logical network:
6. Review the Summary information and click Finish to complete.
The Management logical switch needs to be deployed on the NC host and provides the Management network connectivity to the NC VM. To create Management logical switch:
a. Use the defaults for Load Balancing algorithm and Teaming Mode.
b. Be sure to select all the network sites that are part of the Management logical network you created.
c. Select the Uplink Port Profile you created and click New virtual network adapter. This adds a host virtual network adapter (vNIC) to your logical switch and uplink port profile, so when you add the logical switch to your hosts, the vNICs get added automatically.
d. Provide a name for the vNIC. Verify that the management VM network is listed under the Connectivity section.
e. Check the Inherit connection settings from the host adapter box. This allows you to take the vNIC adapter settings from the adapter that already exists on the host.
f. If you created a port classification and virtual port profile earlier, you can select it now.
g. Click Next.
h. Review the Summary information and click Finish to complete the wizard.
To deploy the Management logical switch on the NC host, follow the steps available at this page.
The service template requires one virtual hard disk that must be prepared prior to importing the service template. This virtual disk must contain an operating system running Windows Server 2016 Technical Preview and should be in VHD format. Download and use Windows Server 2016 Technical Preview 4 ISO image from here . Please note that with TP4, VMM service template for Network Controller only supports single node deployment on a generation 1 virtual machine.
This section tells you how to import Network Controller service template into your VMM library. Before proceeding to import Network Controller Service template, download the template to your machine from our download center here .
The service template uses the following virtual machine configuration parameters. Update the parameters to reflect the configuration for your environment as you import the service template.
|Resource Type||Resource Name and Description|
Description : Windows Server Virtual Hard Disk. Format should be VHD.Select the base VHD image that you prepared earlier and imported into your VMM library.
|NCSetup.cr||A library resource that contains scripts to be utilized to setup the Network Controller. Map to the NCSetup.cr library resource in your VMM library.|
|ServerCertificate.cr||A library resource that contains an SSL certificate in .PFX format. Select the ServerCertificate.cr library resource that you prepared earlier and imported into you VMM library. Also put the .pfx SSL certificate you prepared above inside this folder.|
|TrustedRootCertificate.cr||A library resource that contains a certificate public key (.CER) to be imported as a trusted root certificate to validate the SSL Certificate. The trusted root certificate is optional. If a trusted root certificate is not needed, this resource will still need to be mapped to a CR folder, however the folder should be left empty. Map to the TrustedRootCertificate.cr in your VMM library.|
Use the following process to deploy a network controller service instance.
|ClientSecurityGroup||Required||Name of the security group containing Network Controller client accounts. This is the group you created previously.Example: contoso\Network Controller Clients|
|DiagnosticLogShare||Optional||File share location where the diagnostic logs will be periodically uploaded. If this is not provided, the logs are stored locally on each node.Example: \\fileserver.contoso.com\nc_logs\|
|DiagnosticLogShareUsername||Optional||Full username (including domain name) for an account that has access permissions to the diagnostic log share. Must be in the form [domain]\[username].Example: contoso\Username|
|DiagnosticLogSharePassword||Optional||The password for the account specified in the DiagnosticLogShareUsernamee parameter.|
|EnableApplicationLogging||Required||Indicates whether to enable network controller application logging. These are intended to be used to debug issues. Leaving this option set to True will consume disk space. Options are “False” and “True”. Recommended set to “False”.|
|LocalAdmin||Required||Select a Run As account in your environment which will be used as the local Administrator on the NC virtual machines. User name should be .\Administrator|
|MgmtDomainAccount||Required||Select a Run As account in your environment which will be used to prepare the Network Controller. This user must be a member of the management security group, specified below, which has privileges to manage the network controller.|
This must be the full username (including domain name) of the Run As account mapped to MgmtDomainAccount.Example: contoso\Username.
|MgmtDomainAccountPassword||Required||Password for the management Run As account mapped to MgmtDomainAccount.|
|MgmtDomainFQDN||Required||Fully qualified domain name for the Active directory domain that the network controller virtual machines will join.Example: Contoso.com|
|MgmtSecurityGroup||Required||Name of the security group containing network controller management accounts. This is the group you created previously.Example: contoso\Network Controller Management|
|ServerCertificatePassword||Required||Password needed to import the SSL Certificate into the machine store.|
6. After you configure these settings, click Deploy Service to begin the service deployment job. Deployment times will vary depending on your hardware but are typically between 30 and 60 minutes.
After the network controller service is successfully deployed, the next step is to add it to VMM as a network service. This works just like adding other network services in VMM; you begin this process with the Add Network Service wizard.
6. On the Credentials tab, provide the RunAs account you want to use to configure the Network Service. This should be the same account that you included in the Network Controller Clients group. Click Next .
7. For the Connection String , use the FQDN you registered in DNS for the network service you deployed previously. Your connection string should look similar to this:
9. On the Review Certificates page, a connection is made to the network controller virtual machine to retrieve the certificate. Verify that the certificate shown is the one you expect. Ensure you select the These certificates have been reviewed and can be imported to the trusted certificate store check box. Click Next .
10. On the next screen, click Scan Provider to connect to your service and list the properties and their status. This is also a good test of whether or not the service was created correctly, and that you’re using the right connect string to connect to it. Examine the results, and when it completes successfully, click Next .
11. Configure the Host Group in VMM that your Network Controller will manage. If all your hosts in your VMM deployment will be managed by the Network Controller (for example, if you’re using the minimum deployment topology), then you can choose All Hosts. Otherwise, you will want to choose only the Host Group with Windows Server 2016 Technical Preview hosts that are part of your SDN fabric. Click the appropriate check box and then click Next .
12. Click Finish to complete the Add Network Service wizard. When the service has been added to VMM, you should see it appear in the Network Services list in the VMM Console, and it should look similar to the following:
13. You can right-click the Network Controller object and select Properties to view the properties of your newly created Network Controller.
14. Click OK to finish.
This section, although not required for Network Controller deployment itself, is intended to allow users to validate successful deployment for Network Controller. We will create a NC managed ‘Back End’ network and configure tenant VM network on top of that. We will also test connectivity between two tenant VMs deployed across different hosts to ensure NC is deployed correctly.
The network controller is connected to the Management network, which is the network that is used to deploy and manage the network controller through VMM. Next, you need to create "Back End" network that will be managed by the network controller in your SDN fabric. This network will be used to validate that the Network Controller has been deployed successfully and that tenant virtual machines within same Virtual Network are able to ping each other.
1. Start the Create Logical Network Wizard.
2. Type a name and optional description for this network. The example shown here is Back End Network. Click Next .
3. On the Settings page, be sure to select One Connected Network since all HNV PA networks need to have routing and connectivity between all hosts in that network. Ensure you check Allow new VM networks created on this logical network to use network virtualization . You will also see a new setting: Managed by the Network Controller . Ensure you check this box and then click Next .
4. On the Network Site panel, add the network site information for your HNV PA network. This should include the Host Group, Subnet and VLAN information for your Back End Network. Remember, this network should already exist in your physical network devices (switch) and all your SDN fabric hosts should have physical connectivity to it.
5. Review the Summary information and complete the wizard.
The Back End Network is the HNV Provider Address (PA) network, so it must have a static IP address pool managed by VMM for address assignment, even if DHCP is available on this network. Thus, you need to create a static IP address pool that is associated with this logical network.
1. Right-click the back end network logical network in VMM and select Create IP Pool from the drop down menu.
2. Provide a name and optional description for the IP Pool and ensure that the back end network is selected for the logical network. Click Next .
3. On the Network Site panel, you need to select the subnet that this IP address pool will service. If you have more than one subnet as part of your HNV PA network, you need to create a static IP address pool for each subnet. If you have only one site (for example, like the sample topology) then you can just click Next .
4. On the IP Address range panel, specify the starting and ending IP address. It is recommended that you start with the second address in your IP address range so that the network controller does not assign the default gateway address for the subnet. Click Next .
5. Now configure the default gateway address. Click Insert next to the Default gateways box, type the address and use the default metric. Click Next .
6. Optionally you can configure DNS information but this is generally not required.
7. Optionally you can also configure WINS server information but this is generally not required. Click Next .
8. Review the summary information and click Finish to complete the wizard.
Now that you have create the logical networks, VM networks, and IP pools for your SDN fabric, you need to create a logical switch that you can deploy to your Windows Server 2016 Technical Preview hosts. This will make the networks that you created available to your hosts via VMM and will enable the Virtual Filtering Platform (VFP) switch extension which will make your hosts available to the network controller. This is also referred to as an SDN switch as it will enable creation and configuration of network objects via the network controller.
1. Click Create Logical Switch from the ribbon, or right-click the Logical Switches node in the left hand tree navigation in the VMM console.
2. Review the Getting Started information and click Next .
3. Provide a name ( SDN Switch or whatever you want) and optional description. For the uplink mode, ensure you select No Uplink Team .
4. Click the Managed by Microsoft Network Controller check box and you will notice that the Extensions page disappears. This happens because the network controller requires the VFP extension and thus is selected by default. If your network adapters support SR-IOV and you want to use it, you can enable it here as well and then click Next to proceed.
5. You can optionally select one or more Virtual Port Profiles if you want. This functionality is the same as it was in Windows Server 2012 R2. When you’re ready to proceed, click Next .
6. Add a new Uplink Port Profile directly from the wizard. Click Add and select New Uplink Port Profile from the drop down menu.
7. Provide a name ( SDN port profile or whatever you want) and optional description for your Uplink Port Profile.
It is recommended that you use the defaults for Load Balancing algorithm and Teaming Mode .
Ensure you select all the Network Sites you created for your SDN fabric that are managed by the Network Controller as you want to be sure that they are included in this switch.
You do not need to check the Enable Hyper-V Network Virtualization box as you cannot have hosts that do not support this as part of an SDN fabric by definition. The SDN switch is supported on Windows Server 2016 Technical Preview hosts only.
Click Next to proceed.
8. Review the Summary information and click Finish .
You can now deploy the SDN logical switch to hosts that will be used to provision tenant virtual machines
1. Navigate to the Host Group that contains your Windows Server 2016 Technical Preview hosts that are be part of your SDN fabric. Right-click a host and select Properties from the drop-down menu.
2. Select Virtual Switches from the left menu.
3. Click New Virtual Switch and select New Logical Switch from the menu. The SDN logical switch that you created previously should appear selected in the logical switch combo box. If it isn't, select it now.
4. Ensure you bind the SDN Logical Switch to the correct physical adapter on the host. It should be a different adapter from the one that the Management logical switch is connected to.
5. Click OK on the Host Properties dialog to complete the operation.
6. Repeat this for each host in your SDN fabric. The Infrastructure host does not need this logical switch.
Next, you will create a VM network and IP pool for a tenant in your SDN infrastructure.
Follow steps mentioned here to create VM network and here to create IP address pool.
Click Next .
Now you can create tenant virtual machines connected to the tenant virtual network.
Follow these steps to create a VM from an existing virtual hard disk.
Once you have deployed at least two virtual machines in your VM Network, you can ping one tenant virtual machine from the other tenant virtual machine to validate that the Network Controller has been deployed successfully and that it can manage Back End network allowing tenant virtual machines to ping each other.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.