Hyper-V replication traffic through dedicated NIC

%3CLINGO-SUB%20id%3D%22lingo-sub-3117625%22%20slang%3D%22en-US%22%3EHyper-V%20replication%20traffic%20through%20dedicated%20NIC%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-3117625%22%20slang%3D%22en-US%22%3E%3CP%3EHello%2C%3CBR%20%2F%3EI%20have%202%20domain%20members%20(%3CSTRONG%3EserverA%3C%2FSTRONG%3E%20and%20%3CSTRONG%3EserverB%3C%2FSTRONG%3E)%20with%20the%20Hyper-V%20role%20installed.%3CBR%20%2F%3EThese%20hosts%20are%20NOT%20in%20a%20cluster.%3CBR%20%2F%3EI%20enabled%20replication%20on%20the%20host%20level%20and%20on%20the%20VM%20level%20as%20well.%3CBR%20%2F%3EThis%20works%20well%20but%20the%20replication%20traffic%20goes%20through%20the%20LAN%20as%20goes%20the%20VM%20traffic.%3C%2FP%3E%3CP%3EI%20would%20like%20to%20isolate%20the%20replication%20traffic%20from%20the%20other%20traffic.%3CBR%20%2F%3EI%20have%20found%20many%20articles%20saying%20that%20this%20should%20be%20done%20by%20configuring%20certificates.%3CBR%20%2F%3EHowever%20I%20can't%20get%20this%20to%20work.%3C%2FP%3E%3CP%3EWhat%20have%20I%20done%20sofar%3A%3C%2FP%3E%3CP%3EBoth%20hosts%20also%20have%20a%2010GB%20SFP%20card%20installed.%3CBR%20%2F%3EThese%20SFP%20cards%20are%20directly%20connected%20by%20a%20cable.%3CBR%20%2F%3EI%20have%20configured%20these%20NICs%20with%20an%20IP%20address%20and%20subnet%20mask%20only%20(different%20subnet).%20No%20gateway.%3C%2FP%3E%3CP%3EOn%20both%20hosts%20I%20have%20also%20edited%20the%20hosts%20file.%20Each%20file%20now%20contains%20the%20hostname%20(%3CSTRONG%3EserverSFPa%3C%2FSTRONG%3E%20and%20%3CSTRONG%3EserverSFPb%3C%2FSTRONG%3E)%20and%20IP%20address%20of%20the%20SFP%20card.%3C%2FP%3E%3CP%3EI%20can%20ping%20the%20first%20server%20on%20%3CSTRONG%3EserverA%3C%2FSTRONG%3E%20and%20%3CSTRONG%3EserverSFPa%3C%2FSTRONG%3E%20and%20the%20second%20server%20on%20%3CSTRONG%3EserverB%3C%2FSTRONG%3E%20and%20%3CSTRONG%3EserverSFPb%3C%2FSTRONG%3E.%3CBR%20%2F%3ESo%20that%20part%20works.%3C%2FP%3E%3CP%3EOn%20ServerA%3A%3CBR%20%2F%3ECreated%20a%20self-signed%20test%20root%20authority%20certificate%3A%3CBR%20%2F%3E%3CEM%3Emakecert%20-pe%20-n%20%22CN%3DPrimaryTestRootCA%22%20-ss%20root%20-sr%20LocalMachine%20-sky%20signature%20-r%20%22PrimaryTestRootCA.cer%22%3C%2FEM%3E%3C%2FP%3E%3CP%3ECreated%20a%20new%20certificate%20signed%20by%20the%20test%20root%20authority%20certificate%3CBR%20%2F%3E%3CEM%3Emakecert%20-pe%20-n%20%22CN%3DserverSFPa%22%20-ss%20my%20-sr%20LocalMachine%20-sky%20exchange%20-eku%201.3.6.1.5.5.7.3.1%2C1.3.6.1.5.5.7.3.2%20-in%20%22PrimaryTestRootCA%22%20-is%20root%20-ir%20LocalMachine%20-sp%20%22Microsoft%20RSA%20SChannel%20Cryptographic%20Provider%22%20-sy%2012%20PrimaryTestCert.cer%3C%2FEM%3E%3C%2FP%3E%3CP%3EOn%20ServerB%3A%3CBR%20%2F%3ECreated%20a%20self-signed%20test%20root%20authority%20certificate%3CBR%20%2F%3E%3CEM%3Emakecert%20-pe%20-n%20%22CN%3DReplicaTestRootCA%22%20-ss%20root%20-sr%20LocalMachine%20-sky%20signature%20-r%20%22ReplicaTestRootCA.cer%22%3C%2FEM%3E%3C%2FP%3E%3CP%3ECreated%20a%20new%20certificate%20signed%20by%20the%20test%20root%20authority%20certificate%3CBR%20%2F%3E%3CEM%3Emakecert%20-pe%20-n%20%22CN%3DserverSFPb%22%20-ss%20my%20-sr%20LocalMachine%20-sky%20exchange%20-eku%201.3.6.1.5.5.7.3.1%2C1.3.6.1.5.5.7.3.2%20-in%20%22ReplicaTestRootCA%22%20-is%20root%20-ir%20LocalMachine%20-sp%20%22Microsoft%20RSA%20SChannel%20Cryptographic%20Provider%22%20-sy%2012%20ReplicaTestCert.cer%3C%2FEM%3E%3C%2FP%3E%3CP%3ECopy%20the%20file%20ReplicaTestRootCA.cer%20from%20the%20Replica%20server%20to%20the%20primary%20server%3CBR%20%2F%3E%3CEM%3Ecertutil%20-addstore%20-f%20Root%20%22ReplicaTestRootCA.cer%22%3C%2FEM%3E%3C%2FP%3E%3CP%3ECopy%20the%20file%20PrimaryTestRootCA.cer%20from%20the%20primary%20server%20to%20the%20Replica%20server%3CBR%20%2F%3E%3CEM%3Ecertutil%20-addstore%20-f%20Root%20%22PrimaryTestRootCA.cer%22%3C%2FEM%3E%3C%2FP%3E%3CP%3EDisabled%20the%20certificate%20revocation%20check%20on%20both%20the%20primary%20and%20Replica%20servers%20with%20the%20following%20command%3A%3CBR%20%2F%3E%3CEM%3Ereg%20add%20%22HKLM%5CSOFTWARE%5CMicrosoft%5CWindows%20NT%5CCurrentVersion%5CVirtualization%5CFailoverReplication%22%20%2Fv%20DisableCertRevocationCheck%20%2Fd%201%20%2Ft%20REG_DWORD%20%2Ff%3C%2FEM%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThese%20are%20the%20steps%20described%20in%20many%20articles.%3CBR%20%2F%3EI%20can%20see%20that%20all%20certificates%20are%20installed%20correctly.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWhen%20enabling%20replication%20in%20Hyper-V%20manager%20I%20do%20not%20have%20a%20choice%20to%20choose%20the%20certificate%20for%20%3CSTRONG%3EserverSFPa%3C%2FSTRONG%3E.%20The%20wizard%20always%20pops-up%20with%20the%20certificate%20for%20%3CSTRONG%3EserverA%3C%2FSTRONG%3E.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHow%20can%20I%20make%20replication%20traffic%20go%20through%20the%20SFP%20card%3F%3CBR%20%2F%3EWhat%20am%20I%20doing%20wrong%3F%3C%2FP%3E%3CP%3EAny%20help%20is%20appreciated!%3C%2FP%3E%3CP%3ERegards%2C%3CBR%20%2F%3EJW%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-3117625%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EHyper-V%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
Occasional Visitor

Hello,
I have 2 domain members (serverA and serverB) with the Hyper-V role installed.
These hosts are NOT in a cluster.
I enabled replication on the host level and on the VM level as well.
This works well but the replication traffic goes through the LAN as goes the VM traffic.

I would like to isolate the replication traffic from the other traffic.
I have found many articles saying that this should be done by configuring certificates.
However I can't get this to work.

What have I done sofar:

Both hosts also have a 10GB SFP card installed.
These SFP cards are directly connected by a cable.
I have configured these NICs with an IP address and subnet mask only (different subnet). No gateway.

On both hosts I have also edited the hosts file. Each file now contains the hostname (serverSFPa and serverSFPb) and IP address of the SFP card.

I can ping the first server on serverA and serverSFPa and the second server on serverB and serverSFPb.
So that part works.

On ServerA:
Created a self-signed test root authority certificate:
makecert -pe -n "CN=PrimaryTestRootCA" -ss root -sr LocalMachine -sky signature -r "PrimaryTestRootCA.cer"

Created a new certificate signed by the test root authority certificate
makecert -pe -n "CN=serverSFPa" -ss my -sr LocalMachine -sky exchange -eku 1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2 -in "PrimaryTestRootCA" -is root -ir LocalMachine -sp "Microsoft RSA SChannel Cryptographic Provider" -sy 12 PrimaryTestCert.cer

On ServerB:
Created a self-signed test root authority certificate
makecert -pe -n "CN=ReplicaTestRootCA" -ss root -sr LocalMachine -sky signature -r "ReplicaTestRootCA.cer"

Created a new certificate signed by the test root authority certificate
makecert -pe -n "CN=serverSFPb" -ss my -sr LocalMachine -sky exchange -eku 1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2 -in "ReplicaTestRootCA" -is root -ir LocalMachine -sp "Microsoft RSA SChannel Cryptographic Provider" -sy 12 ReplicaTestCert.cer

Copy the file ReplicaTestRootCA.cer from the Replica server to the primary server
certutil -addstore -f Root "ReplicaTestRootCA.cer"

Copy the file PrimaryTestRootCA.cer from the primary server to the Replica server
certutil -addstore -f Root "PrimaryTestRootCA.cer"

Disabled the certificate revocation check on both the primary and Replica servers with the following command:
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Virtualization\FailoverReplication" /v DisableCertRevocationCheck /d 1 /t REG_DWORD /f

 

These are the steps described in many articles.
I can see that all certificates are installed correctly.

 

When enabling replication in Hyper-V manager I do not have a choice to choose the certificate for serverSFPa. The wizard always pops-up with the certificate for serverA.

 

How can I make replication traffic go through the SFP card?
What am I doing wrong?

Any help is appreciated!

Regards,
JW

0 Replies