The virtual switch provided by Hyper-V is compliant with the official 802.1q standard, which means that it can assign its virtual switch ports to virtual local area networks (VLANs). Hyper-V will assign 802.1q VLAN tags to outbound packets from those switch ports and will properly route inbound 802.1q VLAN-tagged packets to their proper virtual switch ports. Understanding the concept is the hardest part; configuring Hyper-V for it is simple.
Thinking in VLANs
VLAN technology has been around for quite some time but wasn’t common in SMB environments until server virtualization started to catch on. Its primary purpose is to allow physical switch ports to be logically segregated, most commonly for security purposes but also sometimes to reduce the effects of excessive broadcast traffic and other potential congestion-causing problems. Refer to the following diagram:
On the left are two 16-port switches. Their individual ports are configured to be in the VLANs as indicated in the legend. As far as the devices plugged into those switches are concerned, they are configured as seen in the box on the right. Ports connected to a particular VLAN have no direct connectivity to ports in any other VLAN, even if they happen to be on the same physical switch, but they can communicate directly with any other port in the same VLAN, even if it happens to be on another switch – provided that any other physical switches are connected in a trunk.
Hyper-V’s virtual switches have the ability to emulate the above behavior, although it isn’t required. If you do nothing, all traffic traveling across a Hyper-V virtual switch will simply be untagged. If the physical switch that the physical network card you’re using to host your Hyper-V virtual switch doesn’t support 802.1q, then you won’t be able to use this feature. If the physical switch is 802.1q compliant, then you’ll need to set the physical port into trunk mode. For a Cisco IOS switch, this is done with the “switchport mode trunk” command; for other vendors, see the documentation.
You don’t need to do anything in Hyper-V to enable trunking; it’s on automatically. However, you’ll need to configure individual switch ports for the desired VLAN. To do that, inside Hyper-V Manager, open the settings for the virtual machine you wish to configure. Highlight its virtual network card. The VLAN setting is near the middle of the configuration pane:
Upon clicking OK, all network traffic that this virtual network card sends will be tagged as belonging to VLAN 10. Inbound traffic for this virtual machine must carry 802.1q tags for VLAN 10 or it will be dropped. This virtual network card will receive broadcast traffic traveling on VLAN 10.
VLAN for the Physical NIC
In the properties box for the virtual switch, it is possible to connect the management operating system to a VLAN as well, if you’ve allowed it to share the physical adapter. “Sharing” is misleading here. What actually happens is that Hyper-V creates a virtual switch port for the management operating system and connects it to the virtual switch. The management operating system’s adapter won’t behave any differently than a virtual machine’s would:
What About the Native VLAN?
If you know much about Cisco configurations, then you know that it’s possible to set a native VLAN on trunked ports. For other manufacturers, this is called the port VLAN identifier (PVID). Basically, this tells the switch port which VLAN it should consider untagged packets to be a part of. There is no equivalent to this in Hyper-V networking. The reason is because this is a port setting. Since Hyper-V switches are virtual and there isn’t actually a port being used for the trunk, the idea of a native VLAN/PVID really has no meaning. If the virtual switch receives untagged packets, it will distribute them to virtual switch ports that haven’t been assigned a VLAN. When those ports send their traffic, it will go out untagged and land on other untagged virtual switch ports and up the physical wire where the connected switch’s PVID/native VLAN will handle them.
Fortunately, there isn’t much that can go wrong here. If VLAN traffic isn’t traveling as expected, there are only three places to check.
The Physical Switch
First, the physical switch has to support 802.1q trunking and the port that the Hyper-V physical NIC is connected to must be in trunk mode. Some switches also have security options that allow/disallow particular VLANs to participate in trunks. For a Cisco switch, the place to start is with the “show interface trunk” command. Other manufacturers will have similar options.
System Center Virtual Machine Manager
It’s possible for SCVMM to exercise tighter control over virtual switches than can be done with Hyper-V Manager. It can restrict VLAN traffic much the way that Cisco switches do. To check its settings, open the properties of the host computer. Switch to the networking tab. Highlight the virtual network on the left. On the right pane near the bottom, under “Connection”, highlight the physical network adapter (its VLAN will be “Trunk”). Click the “Edit…” button and you will be presented with the dialog box as seen below. If you do not elect to trunk all VLANs, you’ll need to manually enter those that you do wish to allow. If you change the dot to “Access mode”, then all virtual switch ports that aren’t tagged will be transmitted to each other and the physical network on VLAN 2; other virtual switch port traffic will be dropped.
Settings Inside the Virtual Machine
If your physical and virtual switches are configured properly and you’re still having trouble, the final place to check is the virtual machine itself. You’ll troubleshoot this the same way that you would for a physical computer. Make sure that it recognizes the network adapter and has loaded a driver for it. If it does, then ensure its TCP/IP settings are correct. Occasionally, the VLAN setting in Hyper-V doesn’t “stick” or the virtual machine doesn’t recognize it right away. In these cases, you can re-apply the setting first. If that doesn’t work, try shutting down the virtual machine and starting it back up. If your host is part of a cluster, sometimes LiveMigrating the virtual machine from one host to another gets the VLAN setting to “wake up”.
Have any questions?
Leave a comment below!
Backing up Hyper-V
If you’d like to make backing up your Hyper-V VMs easy, fast and reliable, check out Altaro Hyper-V Backup v4. It’s free for up to 2 VMs and supports Hyper-V Server 2012 R2! Need more? Download a 30-day trial of our Unlimited Edition here: http://www.altaro.com/hyper-v-backup/.
(Don’t worry, we hate spam too!)
Is Your Office 365 Data Secure?
Did you know Microsoft does not back up Office 365 data? Most people assume their emails, contacts and calendar events are saved somewhere but they're not. Secure your Office 365 data today using Altaro Office 365 Backup - the reliable and cost-effective mailbox backup, recovery and backup storage solution for companies and MSPs
Not a DOJO Member yet?
Join thousands of other IT pros and receive a weekly roundup email with the latest content & updates!