I have two VLANs on my network. VLAN 100 for users in the office, and VLAN 10 for visitors/guests. Neither VLAN has access to the other, and each has its own internet connection. However, I want to set up a hyper-v server to control the public workstations on the guest network (VLAN 10).
On the physical server, I have two NICs which are teamed using BACS4.
I want to allow VLAN 100 full access to the server. I do not want VLAN 10 to see the physical server at all--just the hyper-v VM.
Currently, the switch ports are configured for link aggriation and are in access mode for VLAN 100.
I've tried all sorts of combinations and procedures, but have not had any luck getting everything working properly.
Here's what I've tried, which seems to be the closest that I've gotten:
- Add two VLAN NICs to the team (VLAN 100 and VLAN 10)
- Change the switch port mode to trunk and add VLAN 100 and VLAN 10)
- In hyper-v, create a new external virtual adapter using the VLAN 10 virtual NIC.
Under these conditions, the physical server is available to the VLAN 10 network.
These is some sort of glitch in hyper-v where I can sometimes get the "enable virtual LAN identification for management operating system" option available. If I enable that and set the VLAN ID to 10, the hyperv adapter throws an error message and fails to be created.
What is the correct approach for setting this up?
The teaming software needed to create the two virtual adapters, with each one assigned to a VLAN.
When creating the hyper-v external virtual adapter, the "allow management operating system to share this network adapter" option needed to be checked for VLAN 100 and unchecked for VLAN 10.
The LAG on the switch needed to be in trunk mode with VLANs 100 and 10.
Hyper-V can and will happily handle VLAN trunking or NIC teaming (although not as easily as ESX/i), but things can get quite crazy when you want both of them at the same time (which is a definitely common configuration for real virtualization hosts).
First of all, Microsoft just doesn't want to get dragged into this; their official position is "this is a hardware thing, so call your hardware vendor": http://support.microsoft.com/kb/968703; that means you are basically on your own.
There are two ways to have both NIC teaming and VLAN trunking on Hyper-V hosts: either handle both of them at the NIC level, or handle teaming at the NIC level and VLANs at the Hyper-V level.
With the first approach (the one suggested by Force Flow), you use the NIC's management software to create the team and then to create a virtual adapter for each VLAN; then, in Hyper-V, you configure each of these adapters for either virtual machine traffic, OS traffic, or both. Hyper-V doesn't see any VLAN at all, because the NIC software is handling them.
With the second approach, you only use the NIC's management software to create the team; then, in Hyper-V, you configure the team for virtual machine traffic, and in each VM connection you specify the VLAN to use. This allows for more flexibility (and less virtual adapters hanging around in the OS), but requires the teaming software to transparently forward tagged Ethernet frames to Hyper-V, which quite often requires up-to-date drivers and management software, and some specific configuration in the team properties, too.