Configuring VM VLAN Isolation in Hyper-V
Those who are new to Hyper-V overthink the architecture required to deploy VMs that are isolated using VLANs. The configuration is actually quite simple, so in today’s post I’ll show you how to implement VLANs with Hyper-V.
The Hard Part: Network Configuration
The difficult part of deploying VLAN-isolated Hyper-V virtual machines is done by the network administrator. While I say “difficult,” the amount of work required is less than what would be needed to do isolate individual physical servers instead of virtual machines.
Each required VLAN is created and configured by the network administrator. IP ranges are assigned, and routing/firewall rules are configured. The network administrator will ask which physical switch ports will be used by the new VLAN. Instead of assigning dedicated ports as you would with a physical server, you will ask the network administrator to trunk one or more (if you are using NIC teaming for the virtual switch) ports for the Hyper-V host in question.
Tip: Make sure that you understand where your virtual machines might live migrate to. You need to ensure that each possible host has an identical physical switch port configuration. If a VM on Host1 can live migrate to Host2, Host3 and all the way to Host64 then the network administrator needs to configure the trunk ports for each host. This might sound like a lot, but with scripting this is simple and is many times more attractive than static VLAN assignment that might be done by the network admins for physical servers.
Say Goodbye to Traditional PC Lifecycle Management
Traditional IT tools, including Microsoft SCCM, Ghost Solution Suite, and KACE, often require considerable custom configurations by T3 technicians (an expensive and often elusive IT resource) to enable management of a hybrid onsite + remote workforce. In many cases, even with the best resources, organizations are finding that these on-premise tools simply cannot support remote endpoints consistently and reliably due to infrastructure limitations.
The below example illustrates the design. A single virtual switch is created for each host. This virtual switch will handle all required VLANs. VMware administrators: please note that you should not create one virtual switch for each VLAN. This is a common mistake made by those making the jump for the first time. The Hyper-V virtual switch is a secure layer 2 virtual device, and Microsoft networking will not allow VLAN jumping unless you introduce incorrectly configured (and unsupported) third-party NIC teaming.
This example is using NIC teaming. Two access switches are used. One connects to the first team member, and the second access switch is connected to the second team member. Each switch port is configured as a trunk port. This allows VLANs to pass through the ports, through the NIC team and into the virtual switch, where the VLAN filtering is applied.
The physical element of configuring VLANs for Hyper-V.
The Easy Part: Virtual Machine Configuration
The next step is to configure VLAN filtering in the properties of the virtual machine. You might think I just contradicted myself. VLAN filtering is applied by the virtual switch. However, the virtual switch port is a property of the virtual NIC. This allows Hyper-V administrators to configure network settings for a virtual machine, and wherever that virtual machine goes, that configuration follows it. That’s much simpler than configuring physical switch ports (hopefully) in advance of relocating physical servers.
Say, for example, you are creating VM01 and you requested a VLAN for it. The network administrator has assigned VLAN 201 for that virtual machine. Open the settings of VM01 and expand the virtual network adapter. Check the Enable Virtual LAN Identification box and enter the ID or tag of the VLAN (201) that was shared by the network administrator. Click OK and you’re done. It really is that simple! VM01 can now only communicate on VLAN 201. VM01 will only be able to talk to other networks if the network administrator allows it via the router/firewall.
Configuring a VLAN binding in a VM.
You can take this further. VM02 can be assigned to VLAN 202. In fact, a VM can span more than one VLAN by allocating one virtual NIC for each VLAN.
Multiple VLAN-isolated VMs on a host.
Remember that using VLANs is not scalable, and this network isolation technique is not suitable for dynamic, self-service environments such as a cloud. You should consider Hyper-V Network virtualization as a VM isolation mechanism in larger environments such as a cloud.