Introduction to VLANs
The IEEE 802.1Q standard for VLAN tagging was created to simply allow you to take a physical network connection and transmit multiple streams of network traffic. Each stream is virtually isolated from each other so that a machine on VLAN1 and a machine on VLAN2 cannot see each other’s packets unless there is a router connected to both VLANs and is performing routing between the VLANs. The diagram on the left below shows that a single physical network cable can have multiple VLANs flowing through it as well as non-VLAN traffic, this is referred to as “trunking”. While the diagram on the left is the conceptual view of the traffic isolation, the diagram on the right shows that the packets are part of a stream and that only the computer that is part of the same VLAN can see the packets on that VLAN and that a computer without a VLAN ID cannot see any packets that are part of a VLAN.
How do VLANs work? There are basically two approaches. The first involves statically configuring the VLAN on physical network at the port level of a network switch. In this configuration, you assign the VLAN to the switch port and any traffic that flows through that port is tagged with the VLAN identification number (the VLAN ID). This approach prevents the device connected to the port from changing the VLAN ID value, but means that if the device moves from one port to another, that the new port must be properly configured for the correct VLAN. This approach prevents multiple devices connected to the port to be members of different VLANs.
The second approach involves the end device to dynamically assigning the VLAN ID before it transmits the packets. In this approach the end device can easily be moved from one VLAN to another without requiring any modifications to the physical switch port. This requires the device to have complete knowledge of IEEE 802.1Q VLAN tagging. It needs to know how to tag, transmit a tagged packet, and how to open a packet that has been tagged.
Static VLAN configuration is more secure than dynamic VLAN tagging, because the network device cannot easily switch from one VLAN to another without moving switch ports which are usually behind a locked door.
In order to support VLAN tagging (static or dynamic) you need the following:
- Hyper-V servers need network adapters with IEEE 802.1Q support. For dynamic tagging, the adapters need to support processing VLAN tagged packets even if the driver is not configured for VLAN support
- Network switches need IEEE 802.1Q support
- Routers need IEEE 802.1Q support for routing tagged packets
Configuring the Parent Partition to use a VLAN
The Hyper-V parent partition can be a member of a VLAN. Usually this is done to separate the Hyper-V management traffic from the child partition traffic. Each physical network adapter can be configured for VLAN tagging support. For network adapters that are not configured with Hyper-V virtual networks, the configuration of the VLAN ID is done at the driver level in the advanced settings of the driver. The following figure shows a Broadcom network adapter with VLAN tagging support. By default the VLAN ID is zero. Modifying this value to a VLAN ID that is configured on your network will tag all packets from the parent partition that flow through this adapter with that VLAN ID.
For network adapters that are configured with virtual networks, the configuration of the VLAN ID for the parent partition happens within the Hyper-V Manager console. To configure a VLAN ID of 200 for the parent partition on a network adapter that has an external virtual network configured do the following:
- Open up the Hyper-V Manager console.
- On the right hand pane under actions, click the action called Virtual Network Manager.
- Highlight the virtual network you want to modify, for example External. You will see the option to Enable virtual LAN identification for parent partition, check that box and enter a value of 200 for the VLAN ID.
- Press Ok to save the changes
Now all traffic for the parent partition that flows through this network adapter will be tagged with the VLAN ID of 200.
You can also change the setting of Internal virtual networks to allow VLAN tagging of the parent partition traffic. The process is the same, just select a virtual network configured as Internal instead of one configured as External. Private virtual networks do not support VLAN tagging of traffic.
Configuring Child Partitions to use VLANs
Child partitions, aka virtual machines, also support VLAN tagging configuration. The configuration is performed per network adapter in the virtual machines configuration settings. This allows you to have a single virtual machine that is connected to multiple VLANs, although one per network adapter. Since a virtual machine can have a maximum of 12 network adapters (8 synthetic and 4 legacy), that means a maximum of 12 VLANs per virtual machine.
If you want to configure a virtual machine to connect to VLAN 200 on the virtual network called External, you would need to do the following:
- Open up the Hyper-V Manager console.
- Highlight the virtual machine that you want to configure for VLAN tagged traffic.
- On the right hand pane under actions for the virtual machine, click the action called Settings.
- Find the network adapter connected to the External network and highlight the virtual network adapter entry under hardware section. On the right hand side, you will see the option to Enable virtual LAN identification, check that box and enter a value of 200 for the VLAN ID.
- Press Ok to save the changes.
Now any traffic that flows out the network adapter connected to the External virtual network will be tagged with the VLAN ID of 200.
If you need a virtual machine to communicate using two or more VLANs, just add additional network adapters, connect them to the correct virtual network, assign the VLAN ID, configure the IP addresses correctly and then make sure that the traffic that you want to flow across that VLAN is using the correct IP address or name of the target so the traffic flows across the correct network adapter.
Using VLANs for isolated testing
Everything we have discussed up until now has assumed that you wanted to transmit packets across the networking infrastructure using a VLAN ID of 200 and that the switch ports were configured to handle that VLAN ID. VLANs can provide additional benefits for isolation testing.
Let’s say you have two Hyper-V hosts connected to the same switch and need to configure a test that requires a service like DHCP to troubleshoot a problem. Your test requires virtual machines on each host to talk to each other. You have the following issues:
- You do not want to offer the DHCP services on the public network because it could cause havoc.
- You do not want to copy all the virtual machines to a single host because maybe you have space or time issues.
- You could add an additional network adapter to each host, connect them to an isolated network switch, configure a new virtual network for that adapter, configure the virtual machines to use that new virtual network and conduct your test, but that is a lot of work.
What you want is a quick and easy way to isolate the virtual machine traffic so you can perform your test. VLAN tagging is a perfect solution to this testing requirement. All you have to do is take all the virtual machines required for the test, connect them to the same physical subnet using the correct external virtual network, configure them for the same VLAN ID, and a common subnet. Now you have an isolated subnet across two hosts that only those machines configured with the same VLAN ID will see the traffic and are able to communicate with each other.
IEEE 802.1Q VLAN tagging allows you to easily isolate traffic between groups of machines across your networking infrastructure. To support VLAN tagging, your devices need to support the IEEE 802.1Q standard. Once your devices support VLAN tagging, configuring them to tag packets is a simple setting on the virtual network or the network adapter in the Hyper-V Manager console. VLAN tagging can actually be used on Internal and External virtual networks to quickly create isolated testing virtual subnets.