Deploying Network Load Balancing (NLB) and Virtual Machines on Windows Server 2008 R2

When running NLB as a Virtual Machine (VM) guest using Windows Server 2008 R2 Hyper-V you need to be aware of some specific configurations settings in Hyper-V host prior to configuring NLB.

 

In Hyper-V, the VM host prevents dynamic MAC address updates as an extra layer of security in the datacenter.  This is because the VM may have full administrator rights, yet it may be untrusted in the datacenter, for example when the VM hosting is provided by an independent hosting company.  In this scenario, we need to make sure that one VM cannot cause a DOS or information disclosure attack against another VM.  If a VM is able to spoof its MAC address, then it can spoof the MAC addresses of other VMs and impact other VMs on that host.  The physical switches have similar protections and it is up to the admin to enable that protection or not.

 

If you do not enable spoofing of MAC address prior to configuring NLB on the VM you could potentially have problems with the NLB cluster. 

 

When configuring NLB in unicast mode on Hyper-V with enable spoofing of MAC Address disabled you may see some of the following symptoms:

·         When initially configuring NLB you will lose network connectivity on the network adaptor NLB was configured on.

·         There will be an NLB error event in the Windows Event Log stating that the network adaptor does not support dynamic MAC address updates.

·         After rebooting the server, NLB will appear to be bound to the network adapter, but the cluster VIP will not have been added to the network adaptor.

·         The cluster MAC address will still be the original MAC address associated with the network adaptor prior to configuring NLB.   Use CMD> ipconfig /all to view the MAC address.  It should start with “02-BF-***”

·         If you ignore all previous symptoms and manually add the VIP you could get an IP conflict if there are other nodes in the cluster that have the same VIP. 

 

With that said, to allow VM guests to run NLB you need to set the VM property for “Enable spoofing of MAC Address”. 

 

To enable spoofing of MAC Addresses open the Hyper-V management console.  Make sure the VM is stopped open the properties of the VM.  Select the Network Adaptor for the NLB VM and check the “Enable spoofing of MAC Address” and click OK.  Then start the VM. 

 

Thanks,
Gary Jackman
Software Test Engineer
Clustering & High-Availability
Microsoft