Configuring VM VLAN Isolation in Hyper-V

Those who are new to Hyper-V overthink the architecture required to deploy VMs that are isolated using VLANs. The configuration is actually quite simple, so in today’s post I’ll show you how to implement VLANs with Hyper-V.

The Hard Part: Network Configuration

The difficult part of deploying VLAN-isolated Hyper-V virtual machines is done by the network administrator. While I say “difficult,” the amount of work required is less than what would be needed to do isolate individual physical servers instead of virtual machines.

Each required VLAN is created and configured by the network administrator. IP ranges are assigned, and routing/firewall rules are configured. The network administrator will ask which physical switch ports will be used by the new VLAN. Instead of assigning dedicated ports as you would with a physical server, you will ask the network administrator to trunk one or more (if you are using NIC teaming for the virtual switch) ports for the Hyper-V host in question.

Tip: Make sure that you understand where your virtual machines might live migrate to. You need to ensure that each possible host has an identical physical switch port configuration. If a VM on Host1 can live migrate to Host2, Host3 and all the way to Host64 then the network administrator needs to configure the trunk ports for each host. This might sound like a lot, but with scripting this is simple and is many times more attractive than static VLAN assignment that might be done by the network admins for physical servers.

Sponsored Content

Passwords Haven’t Disappeared Yet

123456. Qwerty. Iloveyou. No, these are not exercises for people who are brand new to typing. Shockingly, they are among the most common passwords that end users choose in 2021. Research has found that the average business user must manually type out, or copy/paste, the credentials to 154 websites per month. We repeatedly got one question that surprised us: “Why would I ever trust a third party with control of my network?

The below example illustrates the design. A single virtual switch is created for each host. This virtual switch will handle all required VLANs. VMware administrators: please note that you should not create one virtual switch for each VLAN. This is a common mistake made by those making the jump for the first time. The Hyper-V virtual switch is a secure layer 2 virtual device, and Microsoft networking will not allow VLAN jumping unless you introduce incorrectly configured (and unsupported) third-party NIC teaming.

This example is using NIC teaming. Two access switches are used. One connects to the first team member, and the second access switch is connected to the second team member. Each switch port is configured as a trunk port. This allows VLANs to pass through the ports, through the NIC team and into the virtual switch, where the VLAN filtering is applied.

Configure VM VLAN Isolation in Hyper-V

The physical element of configuring VLANs for Hyper-V.

The Easy Part: Virtual Machine Configuration

The next step is to configure VLAN filtering in the properties of the virtual machine. You might think I just contradicted myself. VLAN filtering is applied by the virtual switch. However, the virtual switch port is a property of the virtual NIC. This allows Hyper-V administrators to configure network settings for a virtual machine, and wherever that virtual machine goes, that configuration follows it. That’s much simpler than configuring physical switch ports (hopefully) in advance of relocating physical servers.

Say, for example, you are creating VM01 and you requested a VLAN for it. The network administrator has assigned VLAN 201 for that virtual machine. Open the settings of VM01 and expand the virtual network adapter. Check the Enable Virtual LAN Identification box and enter the ID or tag of the VLAN (201) that was shared by the network administrator. Click OK and you’re done. It really is that simple! VM01 can now only communicate on VLAN 201. VM01 will only be able to talk to other networks if the network administrator allows it via the router/firewall.

Configure VM VLAN Isolation in Hyper-V: VLAN binding

Configuring a VLAN binding in a VM.

You can take this further. VM02 can be assigned to VLAN 202. In fact, a VM can span more than one VLAN by allocating one virtual NIC for each VLAN.

Configure VM VLAN Isolation in Hyper-V: VLAN-isolated VMs

Multiple VLAN-isolated VMs on a host.

Remember that using VLANs is not scalable, and this network isolation technique is not suitable for dynamic, self-service environments such as a cloud. You should consider Hyper-V Network virtualization as a VM isolation mechanism in larger environments such as a cloud.

Related Topics:

Aidan Finn, Microsoft Most Valuable Professional (MVP), has been working in IT since 1996. He has worked as a consultant and administrator for the likes of Innofactor Norway, Amdahl DMR, Fujitsu, Barclays and Hypo Real Estate Bank International where he dealt with large and complex IT infrastructures and MicroWarehouse Ltd. where he worked with Microsoft partners in the small/medium business space.
Live Webinar - Thursday, December 2nd! Active Directory Masterclass: AD Configuration Strategies for Stronger SecurityREGISTER NOW - Thursday, December 2, 2021 @ 1 pm ET

Active Directory (AD) is leveraged by over 90% of enterprises worldwide as the authentication and authorization hub of their IT infrastructure—but its inherent complexity leaves it prone to misconfigurations that can allow attackers to slip into your network and wreak havoc. 

Join this session with Microsoft MVP and MCT Sander Berkouwer, who will explore:

  • Whether you should upgrade your domain controllers to Windows Server
    2019 and beyond
  • Achieving mission impossible: updating DCs within 48 hours
  • How to disable legacy protocols and outdated compatibility options in
    Active Directory

Sponsored by: