This article is a work in progress based on adam's blog post at: http://blogs.msdn.com/adamfazio/archive/2008/11/14/understanding-hyper-v-vlans.aspx and the whitepaper "Understanding Networking with Hyper-V." Please add your best practice advice.

Note: This article is based on Hyper-V 2.0 and might not apply to Hyper-V 3.0 (Server 2012)

Backgrounders:

• Microsoft Hyper-V Server 2008 Configuration Guide
• Hyper-V Planning and Deployment Guide
• Using HP ProLiant Network Teaming Software with Microsoft® Windows® Server 2008 Hyper-V

Hyper-V Networking Best Practices

• You can best manage the bandwidth usage of VM NICs relative to the Host (also called parent partition) NIC by leaving the VM NIC settings on "autosense."
• Configure at least two physical NICs. If additional services are required, add additional physical network adapters as needed. 
• If only communication between virtual machines is needed and not with the physical machine or the external network, create a private virtual network.
• If only communication between virtual machines and the physical machine is needed, create an internal virtual network. 
• If the virtual machines need to communicate with the entire network or the Internet, create an external network.
• If separate communication is needed between the virtual machines and the physical server machines while maintaining communication with an external network, use an external network without a virtual network adapter in the management OS. 
• If two internal or private virtual networks are created in Hyper-V and two virtual machines are created on a separate IP subnet, they cannot communicate with each other. The virtual switch operates at layer 2 of the ISO/OSI Network Model. To achieve routing at higher levels, a router needs to be used, the same as would be done in a physical environment. ISA 2006 or RRAS may be used to achieve this functionality.
• When using an internal virtual network, create an exception to enable the virtual machines to communicate with the physical server.
• When using virtual machines to communicate with the management OS, ensure that they are on the same IP subnet. 
• Each virtual machine can have a total of 12 virtual network adapters. Eight network adapters can be assigned to a high-speed adapter and four network adapters can be assigned to a legacy adapter.
• If the virtual machine experiences high traffic volume, it is recommended that a dedicated physical network adapter be assigned to the virtual machine external network switch.
• Whenever possible, use high-speed devices in the virtual machines by enabling the integration services.

Hyper-V in the DMZ

When considering Hyper-V for server consolidation in a DMZ it is recommended not to run VMs of vastly differing trust levels on the same physical host in production environments (i.e. do not consolidate all DMZ boxes on one physical host).  Instead, the recommendation is to consolidate all the front-end boxes on one physical server and do the same for the back-end, depending on the workloads.

Understanding Hyper-V VLANs

Before reading this article ensure you are familiar with basic concepts associated with a VLAN, as well as the network policies and security goals of your environment. The focus of this troubleshooter is using VLAN IDs with Hyper-V.  

A VLAN ID is the integer which uniquely identifies a node as belonging to a particular VLAN. As per the 802.1Q specification, the VLAN ID itself is encapsulated within the Ethernet frame, which is how multiple VMs using the same physical NIC can communication on different VLANs simultaneously.

First, ensure that your physical NICs support VLAN tagging and that this feature is enabled. NOTE: You should set the VLAN ID on either the Virtual Switch or the individual Virtual Machine’s configuration, not at the physical NIC. The VLAN ID on the Virtual Switch is the one used by the management operating system (also sometimes called Host or Parent Partition). The VLAN ID setting on the individual Virtual Machine’s settings is what each VM will use. NOTE: You can assign only one VLAN ID on the Virtual Switch. The V-Switch (parent partition) can operate on one VLAN, and the VMs (child partitions) can operate on different VLANs.

VLAN ID setting at the Host’s Virtual Switch

 

 VLAN ID setting at the Virtual Machine

 

When creating an External network in Hyper-V, a virtual network switch is created and bound to the selected physical adapter. A new virtual network adapter is created in the management operating systems (parent partition) and connected to the virtual network switch. Virtual machines (child partitions) can be bound to the virtual network switch by using virtual network adapters. This diagram illustrates the architecture.

  

In addition to the above scenarios, Hyper-V also supports the use of VLANs and VLAN IDs with the virtual network switch and virtual network adapters. Hyper-V leverages 802.1q VLAN trunking to achieve this objective. Trunking requires the creation of a virtual network switch on the host that is bound to a physical network adapter that supports 802.1q VLAN tagging.

This diagram illustrates an example of using a single physical NIC in the host which is connected to an 802.1q trunk on the physical network carrying three VLANs (ID numbers 5, 10, and 20). The design objective in this example includes:

·         An 802.1q trunk carrying 3 VLANs (5, 10, 20) is connected to a physical adapter in the host

·         A single virtual switch is created and bound to the physical adapter

·         The VLAN ID of the virtual switch is configured to 5 which would allow the virtual NIC in the parent to communicate on VLAN 5

·         The VLAN ID of the virtual NIC in Child Partition #1 is set to 10 allowing it to communicate on VLAN 10

·         The VLAN ID of the virtual NIC in Child Partition #2 is set to 20 allowing it to communicate on VLAN 20

 The expected behavior is that there is a single virtual switch, the parent and two virtual machines (child partition 1 and child partition 2) can communicate only over their respective VLANs, and they cannot communicate to each other. 

 

Troubleshooting

Ensure you are using the latest NIC drivers, and that they support VLAN tagging and that they are enabled

1. To enable: go to Control Panel, Network Connections, Properties of NIC, Configure, Advanced

2. Ensure the trunk is properly configured on the physical switch that the Host's V-Switch is using.

3. Check the following registry key to confirm the VLAN-ID number: HKLM:\System\CurrentControlSet\services\VMSMP\Parameters\SwitchList

If you need further help please try the Hyper-V TechNet forums http://social.technet.microsoft.com/forums/en/winserverhyperv/threads/

Community Resources

• How does basic networking work in Hyper-V?
• Understanding Hyper-V VLANS
• Hyper-V: What are the uses for different types of virtual networks? 
• NVSPBIND Demo with Keith Mange
• NVSPBIND
• Configuring Virtual Networks
• Windows Server 2008 R2 & Microsoft Hyper-V Server 2008 R2 - Hyper-V Live Migration Overview & Architecture
• Step-by-Step Guide for Testing Hyper-V and Failover Clustering 
• How to Add or Modify Virtual Networks on a Host
• VLAN Attributes Used in Network Policy
• Hyper-V: Live Migration Network Configuration Guide
• Getting to Know Hyper-V: A Walkthrough from Initial Setup to Common Scenarios
• Configure Networking in Hyper-V 
• Hyper-V Virtual Machine (VM) Parent-Child Configuration Using Differencing Disks
   

See Also

• Hyper-V Portal