That last one is why we have multiple VLAN\u2019s at work. Each VLAN is firewalled from every other VLAN. We open up what ports we need to between VLAN\u2019s and to\/from the Internet. <\/p>\n
Each VLAN has an ID. That is used by administrators for configuring firewall rules, switches and servers.<\/p>\n
How do you tell a physical server that it is on a VLAN?<\/p>\n
There\u2019s two ways I can think of:<\/p>\n
- \n
- The network administrators would assign the switch ports that will connect the server to a specific VLAN <\/li>\n
- The network administrators can create a \u201ctrunk\u201d on a switch port. That\u2019s when all VLAN\u2019s are available on that port. Then on the server you need to use the network card driver or management software to specify which VLAN to bind the NIC to. Some software (HP NCU) allows you to create multiple virtual network cards to bind the server to multiple VLAN\u2019s using one physical NIC. <\/li>\n<\/ul>\n
How about a virtual machine; how do you bind the virtual NIC of a virtual machine to a specific VLAN? It\u2019s a similar process. I must warn anyone reading this that I\u2019ve worked with a Cisco CCIE while working on Hyper-V and previously with another senior Cisco guy while working on VMware ESX and neither of them could really get their heads around this stuff. Is it too complicated for them? Hardly. I think the problem was that it was too simple! Seriously!<\/p>\n
Let\u2019s have a look at the simplest virtual networking scenario:<\/p>\n
![\"image\"](\"https:\/\/aidanfinn.com\/wp-content\/uploads\/2009\/12\/image_thumb11.png\" "\\"image\\"")
<\/a>The host server has a single physical NIC to connect virtual machines. A virtual switch is created in Hyper-V to pass the physical network that is attached to that NIC to any VM that is bound to that virtual switch.<\/p>\nYou can see above that the switch only operates with VLAN 101. Every server on the network operates on VLAN 101. The physical servers are on it, the parent partition of the host is on it, etc. The physical switch port is connected to the virtual machine NIC in the host using a physical network cable. In Hyper-V, the host administrator creates a virtual switch.<\/p>\n
Network admins: Here\u2019s where you pull what hair you have left out. This is not a switch like you think of a switch. There is no console, no MIB, no SNMP, no ports, no spanning tree loops, nada! It is a software connection and network pass through mechanism that exists only in the memory of the host. It interacts in no way with the physical network. You don\u2019t need to architect around them.<\/p>\n
The virtual switch is a linking mechanism. It connects the physical network card to the virtual network card in the virtual machine. It\u2019s as simple as that. In this case both of the VM\u2019s are connected to the single virtual switch (configured as an External type). That means they too are connected to VLAN 101.<\/p>\n
How do we get multiple Hyper-V virtual machines to connect to multiple VLAN\u2019s? There\u2019s a few ways we can attack this problem.<\/p>\n
Multiple Physical NIC\u2019s<\/h4>\n
In this scenario the physical host server is configured with multiple NIC\u2019s. <\/p>\n
*Rant Alert* Right, there\u2019s a certain small number of journalists\/consultants who are saying \u201cyou should always try to have 1 NIC for every VM on the host\u201d. Duh! Let\u2019s get real. Most machines don\u2019t use their GB connections in a well designed and configured network. That nightly tape backup over the network design is a dinosaur. Look at differential, block level continuous incremental backups instead, e.g. Microsoft System Center Data Protection Manager or Iron Mountain Live Vault. Next, who has money to throw at installing multiple quad NIC\u2019s with physical switch ports all over the place. The idea here is to consolidate! Finally, if you are dealing with blade servers you only have so many mezzanine card slots and enclosure\/chassis device slots. If a blade can have 144GB of RAM, giving maybe 40+ VM\u2019s, that\u2019s an awful lot of NIC\u2019s you\u2019re going to need :) Sure there are scenarios where a VM might need a dedicated NIC but there are extremely rare. *Rant Over*<\/p>\n
![\"image\"](\"https:\/\/aidanfinn.com\/wp-content\/uploads\/2009\/12\/image_thumb12.png\" "\\"image\\"")
<\/a>In this situation the network administrator has set up two ports on the switches, one for each VLAN to connect to the Hyper-V host. VLAN 101 has a physical port on the switch that is cabled to NIC 1 on the host. VLAN 102 has a physical port on the switch that is cabled to NIC 2 on the host. The parent partition has it\u2019s own NIC, not shown. Virtual Switch 1 is created and connected to NIC 1 and Virtual Switch 2 is created and connected to NIC 2. Every VM that needs to talk on VLAN 101 will be connected to Virtual Switch 1 by the host administrator. Every VM that needs to talk on VLAN 102 should be connected to Virtual Switch 2 by the host administrator.<\/p>\nVirtual Switch Binding<\/h4>\n
You can only bind one External type virtual switch to a NIC. So in the above example we could not have matched up two virtual switches to the first NIC and changed the physical switch port to be a network trunk. We can do something similar but different.<\/p>\n
![\"image\"](\"https:\/\/aidanfinn.com\/wp-content\/uploads\/2009\/12\/image_thumb13.png\" "\\"image\\"")
<\/a>When we create an external virtual switch we can tell it to only communicate on a specific VLAN. You can see in the above screenshot that I\u2019ve built a new virtual switch and instructed it to use the VLAN ID (or tag) of 102. That means that every VM virtual NIC that connects to this virtual switch will expect to be on VLAN 102 with no exceptions. <\/p>\nTaking our previous example, here\u2019s how this would look:<\/p>\n
![\"image\"](\"https:\/\/aidanfinn.com\/wp-content\/uploads\/2009\/12\/image_thumb14.png\" "\\"image\\"")
<\/a>The network administrator has done things slightly different this time. Instead of configuring the two physical switch ports to be bound to specific VLAN\u2019s they\u2019re simple configured trunks. That means many VLAN\u2019s are available on that port. The device communicating on the trunk must specify what VLAN it is on to communicate successfully. Worried about security? As long as you trust the host administrator to get things right you are OK. Users of the virtual machines cannot change their VLAN affiliation.<\/p>\nYou can see that virtual switch 1 is now bound to VLAN 101. Every VM that connects to virtual switch 1 will be only able to communicate on VLAN 101 via the trunk on NIC 1. It\u2019s similar on NIC 2. It\u2019s set up with a virtual switch on VLAN 102 and all bound VM\u2019s can only communicate on that VLAN.<\/p>\n
We\u2019ve changed where the VLAN responsibility lies but we haven\u2019t solved the hardware costs and consolidation issue.<\/p>\n
VLAN ID on the VM<\/h4>\n
Here\u2019s the solution you are most likely to employ. For the sake of simplicity let\u2019s forget about NIC teaming for a moment.<\/p>\n
![\"image\"](\"https:\/\/aidanfinn.com\/wp-content\/uploads\/2009\/12\/image_thumb15.png\" "\\"image\\"")
<\/a>Instead of setting the VLAN on the virtual switch we can do it in the properties of the VM. To be more precise we can do it in the properties of the virtual network adapter of the VM. You can see that I\u2019ve done this above by configuring the network adapter to only communicate on VLAN (ID or tag) 102.<\/p>\nThis is how it looks in our example:<\/p>\n
![\"image\"](\"https:\/\/aidanfinn.com\/wp-content\/uploads\/2009\/12\/image_thumb16.png\" "\\"image\\"")
<\/a>Again, the network administrator has set up a trunk on the physical switch port. A single external virtual switch is configured and no VLAN ID is specified. The two VM\u2019s are set up and connected to the virtual switch. It is here that the VLAN specification is done. VM 1 has it\u2019s network adapter configured to talk on VLAN 101. VM 2 is configured to operate on VLAN 102. And it works, just like that!<\/p>\nWaiver: I\u2019m seeing a problem where VMM created NIC\u2019s do not bind to a VLAN. Instead I have to create the virtual network adapter in the Hyper-V console.<\/em><\/p>\n
Here\u2019s one to watch out for if you use the self servicing console. If you cannot trust delegated administrators\/users to get VLAN ID configuration right or don\u2019t trust them security-wise then do not allow them to alter VM configurations. If you do then they can alter the VLAN ID and put their VM into a VLAN that it might not belong to.<\/p>\n
Firewall Rules<\/h4>\n
Unless network administrators allow it, virtual machines on VLAN 101 cannot see virtual machines on VLAN 102. A break out is theoretically impossible due to the architecture of Hyper-V leveraging the No eXecute Bit (AKA DEP or Data Execution Prevention).<\/p>\n
Summary<\/h4>\n
You can see that you can set up a Hyper-V host to run VM\u2019s on different VLAN\u2019s. You\u2019ve got different ways to do it. You can even see that you can use your VLAN\u2019s to firewall VM\u2019s from each other. Hopefully I\u2019ve explained this in a way that you can understand.<\/p>\n
Technorati Tags: Hyper-V<\/a>,Windows Server 2008 R2<\/a>,Networking<\/a><\/div>\n","protected":false},"excerpt":{"rendered":"How do you run multiple virtual machines on different subnets? Forget for for just a moment that these are virtual machines. How would you do it if they were physical machines? The network administrators would set up a Virtual Local Area Network or VLAN. A VLAN is a broadcast domain, i.e. it is a single … Continue reading “Hyper-V and VLAN\u2019s”<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"om_disable_all_campaigns":false,"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"_uf_show_specific_survey":0,"_uf_disable_surveys":false,"footnotes":""},"categories":[20],"tags":[181,80,117],"class_list":["post-10164","post","type-post","status-publish","format-standard","hentry","category-hyper-v","tag-hyper-v","tag-networking","tag-windows-server-2008-r2"],"aioseo_notices":[],"jetpack_featured_media_url":"","amp_enabled":true,"_links":{"self":[{"href":"https:\/\/aidanfinn.com\/index.php?rest_route=\/wp\/v2\/posts\/10164","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/aidanfinn.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/aidanfinn.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/aidanfinn.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/aidanfinn.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=10164"}],"version-history":[{"count":0,"href":"https:\/\/aidanfinn.com\/index.php?rest_route=\/wp\/v2\/posts\/10164\/revisions"}],"wp:attachment":[{"href":"https:\/\/aidanfinn.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=10164"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/aidanfinn.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=10164"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/aidanfinn.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=10164"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
![\"image\"](\"https:\/\/aidanfinn.com\/wp-content\/uploads\/2009\/12\/image11.png\" "\\"image\\"")
<\/a>The host server has a single physical NIC to connect virtual machines. A virtual switch is created in Hyper-V to pass the physical network that is attached to that NIC to any VM that is bound to that virtual switch.<\/p>\n