Hyper-V Virtual LANs

The Microsoft documentation for this is pretty non-existent. It is actually all very simple. In the docs, they refer a lot to the “parent domain”. All that means is the networking used by the host operating system, the Windows 2008 installation on the physical hardware.

You need a network card that can handle 802.1q VLAN tagging, and you plug in a feed that has multiple tagged vlans on it, like what comes straight out of your Cisco or whatever corporate network. This is not something you are likely to have at home.

Using the Hyper-V Network Manager, you add a new network with the parent VLAN tag set to the VLAN tag number corresponding to the main IP address you want your host operating system to be running in.

In each virtual machine, you then assign the network adapter to the network you just created, and you can set the VLAN tag number for network packets destined for that virtual machine.

Note: Windows automatically attaches all the correct protocols to the correct network adapters, so don’t go over-riding its choices here unless you know exactly what you’re doing, in which case you probably aren’t reading this anyway Happy Don’t assign IPv4 or IPv6 to a network interface because you think Windows forgot and got it wrong. It didn’t. You have misunderstood. It gets it right.

Example

So say your Servers VLAN is tag 14, and your DMZ is tag 10. You want your physical server to live in your internal Servers VLAN so you can administer it nice and easily without your firewall getting in the way. But you want your virtual machine, say your corporate web site or mail server, to live in the DMZ where it is nice and safely outside your main internal network.

You set the parent domain VLAN tag to 14, and give the virtual network adapter that just got created (it’s in your list of network connections) an IP address that corresponds to the IP range used by VLAN 14 (Servers). You set the VLAN tag of the VM’s network adapter to 10, and set the IP address in the VM to one in the IP range used by VLAN 10 (DMZ).

Then you can administer the physical server, and get to the console of the VM, by just talking to your Servers VLAN on your internal network, safe in the knowledge that no-one accessing your VM (your corporate web site or mail server, for example) can access anything other than the VM in the DMZ, with your firewall protecting your internal network from nasties in the DMZ.

Summary

That’s really all there is to it. If you can’t get it working, then first thing to check is that the relevant tagged VLAN packets are actually being sent down the cable to your server, which may need extra configuration on your corporate network routers/switches. Once the tagged VLAN packets are getting to your Win2008 server, there’s not much that can go wrong.
Comments