none
Cannot Create External Network on VLAN Based NIC RRS feed

  • Question

  • The NIC is an Intel I211 which has 2 VLANs on it.  If I try to bind one of the VLAN interfaces to an external network I get an error.  If I remove the 2 VLAN interfaces and try to create a virtual switch it is created.

    [Main Instruction]
    Error applying Virtual Switch Properties changes

    [Content] Failed while adding virtual Ethernet switch connections.


    Sunday, June 23, 2019 4:41 PM

Answers

  • Sure, you can have that topology.

    The Hyper-V virtual switch does not allow you to tinker with its "access" or "trunk" ports like a physical switch does. You make those kinds of changes on virtual adapters instead. Otherwise, it is conceptually the same as a physical switch. Just imagine that you've converted your physical NIC into a multi-port switch. From there, it's pretty easy to understand.

    Start with cleaning your physical NIC's network settings back to defaults -- no logical adapters or VLAN IDs or anything at all. Next, create a new virtual switch on the physical adapter.

    By default, Windows will create a virtual adapter named after the virtual switch. Since I always use PowerShell to create a virtual switch and I always specify "-AllowManagementOS $false", then I have to create one manually with Add-VMNetworkAdapter. Since you want two connections in your management OS, then you have to do that at least once anyway. Once you have the management virtual adapters, then you place them in VLANs.

    I have full instructions with examples in the third linked article, so I will just give you a starting framework with some incomplete commands:

    New-VMSwitch -Name vSwitch -AllowManagementOs $false ... (additional info, included desired physical adapter)
    Add-VMNetworkAdapter -ManagementOS -Name "VLAN1" ...
    Add-VMNetworkAdapter -ManagementOS -Name "VLAN2" ...
    Set-VMNetworkAdapterVlan -ManagementOS -VMNetworkAdapterName "VLAN1" -Access -VLANId 1 ... (I think I forgot something)
    Set-VMNetworkAdapterVlan -ManagementOS -VMNetworkAdapterName "VLAN2" -Access -VLANId 2 ... (I think I forgot something)

    I wrote that from memory so I know that I didn't get all of the parameters and I might have made some minor typos on the parameters that I did remember. This isn't the ONLY way to do it, but it will give you exactly what you asked for. You will still need to add IP information on each of those adapters. You can do that the traditional way (GUI or netsh) or with New-NetIPAddress. <insert all of the warnings about multi-homed systems and DNS registration blah blah etc etc ad nauseum>

    Then, when you create VMs, you set their virtual NICs to whatever VLAN you want them to participate in. You can do that in Hyper-V Manager if you'd rather not use PowerShell.

    I do want to comment on one thing:

    VLAN 1 (tagged or untagged on the physical wire) vSwitch shared with host OS & all guests

    There is no "sharing". I know that the commands and GUI imply that, but they're wrong. ONLY create an adapter for the management OS if it requires its own L3 endpoint in that VLAN. You do NOT need a virtual adapter in the management OS for the VMs to communicate on any given VLAN. EVERYBODY "plugs in" to the same virtual switch, and the switch handles the tagging. It is perfectly acceptable to have a VLAN 1 vNIC in the management OS for that OS's communication purposes and then put all of the VMs into VLANs 2 and 21 and 80 and 2057 and whatever else you need.


    Eric Siron
    Altaro Hyper-V Blog
    I am an independent contributor, not an Altaro employee. I accept all responsibility for the content of my posts. You accept all responsibility for any actions that you take based on the content of my posts.

    • Marked as answer by MrPaulAR Wednesday, June 26, 2019 5:08 PM
    Wednesday, June 26, 2019 1:55 PM

All replies

  • Not clear what you're trying to do but when you create a new external vSwitch the internet protocols are removed from the adapter and the Hyper-V Extensible Switch protocol is added turning that physical port into a multi-port virtual switch. Connect your VMs to this switch.

    https://blogs.technet.microsoft.com/jhoward/2008/06/17/hyper-v-what-are-the-uses-for-different-types-of-virtual-networks/

     

     



    Regards, Dave Patrick ....
    Microsoft Certified Professional
    Microsoft MVP [Windows Server] Datacenter Management

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees, and confers no rights.


    Sunday, June 23, 2019 4:49 PM
  • Before doing anything with hyper-v I have 1 physical nic with 2 VLANs.  

    VLAN 1 = My LAN with Internet access
    VLAN 2 = IoT VLAN with no Internet

    If I look at my network adapters I see the following 3 items. 

    Intel(R) I211 Gigabit Network Connection
    Intel(R) I211 Gigabit Network Connection - VLAN : VLAN1
    Intel(R) I211 Gigabit Network Connection - VLAN : VLAN2

    This is all working properly.

    Now the task I would like to do is add an external vSwitch and bridge that to the VLAN1 interface above.  The hyper-v GUI just spits an error whenever I attempt to do this.

    Just for kicks I removed the 2 VLANs and went back to having my IPv4 stack applied to the physical NIC.  When I do this I'm able to add the external vSwitch to the physical NIC.

    Sunday, June 23, 2019 7:43 PM
  • Maybe this one helps.

    https://docs.microsoft.com/en-us/windows-server/virtualization/hyper-v/deploy/configure-virtual-local-areal-networks-for-hyper-v

     

    (please don't forget to mark helpful replies as answer)

     

     



    Regards, Dave Patrick ....
    Microsoft Certified Professional
    Microsoft MVP [Windows Server] Datacenter Management

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees, and confers no rights.


    Sunday, June 23, 2019 8:29 PM
    1. You should open the Hyper-V manager and open the Virtual Switch Manager.
    2. Create a new virtual switch
    3. Give it a name and select the type (external network)
    4. Select the network adapter you want to use for this and check the box "Allow management operating system to share this network adapter" box.
    5. Check the "Enable virtual LAN identification for management operating system" box and specify the VLAN you want to use.

    That should work.


    If it does not, what is the exact error you get?
    Sunday, June 23, 2019 9:06 PM
  • Hello MrPaulAR,

    Just wanted to check if you question has been answered? If so please mark the replies as an answer.

    Best regards,

    Malcolm

    Monday, June 24, 2019 9:29 PM
  • Before doing anything with hyper-v I have 1 physical nic with 2 VLANs.  

    VLAN 1 = My LAN with Internet access
    VLAN 2 = IoT VLAN with no Internet

    If I look at my network adapters I see the following 3 items. 

    Intel(R) I211 Gigabit Network Connection
    Intel(R) I211 Gigabit Network Connection - VLAN : VLAN1
    Intel(R) I211 Gigabit Network Connection - VLAN : VLAN2

    If it allowed you to place a virtual switch on this, it would result in undefined behavior. Who processes the VLAN tags inbound? Who processes them outbound? What if you specifically placed a virtual adapter in VLAN 1 or VLAN 2 on a virtual switch assigned to either of the tagged interfaces?

    Leave the physical adapter untagged. Set VLAN IDs on the virtual adapters. Allow the virtual switch to process the tags. That's how it's designed and is the only supported configuration.


    Eric Siron
    Altaro Hyper-V Blog
    I am an independent contributor, not an Altaro employee. I accept all responsibility for the content of my posts. You accept all responsibility for any actions that you take based on the content of my posts.

    Tuesday, June 25, 2019 2:17 AM
  • Does that imply that I cannot use VLAN:1 tagged with a L3 interface on the host OS (Win10) as well as shared with hyper-v guests?

    Sorry but I'm a network guy and I'm stuck in the physical switch world where vlan manipulation happens on the physical port where I can pop the tag and have members of that vlan still appear untagged.

    Tuesday, June 25, 2019 9:15 PM
  • When you create a new external vSwitch the internet protocols are removed from the physical adapter and the Hyper-V Extensible Switch protocol is added turning that physical port into a multi-port virtual switch. If you checked the box for Allow management operating system to share this network adapter then a new vEthernet virtual network adapter is created that has internet protocols bound to it and is also connected to the external vSwitch. So as Eric says leave the physical adapter properties alone.

     

     



    Regards, Dave Patrick ....
    Microsoft Certified Professional
    Microsoft MVP [Windows Server] Datacenter Management

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees, and confers no rights.

    Tuesday, June 25, 2019 9:23 PM
  • Once you assign a virtual switch to a physical adapter, that's the only thing that it can ever do. If you try to make it perform double-duty or more, then something will break. Either it will explicitly fail as happened to you, or it will pretend to succeed and then sabotage you. No "sharing" of anything happens. If you create logical adapters in specific VLANs and then try to stick a virtual switch on one of them, then that's sort of like plugging an uplink port from an 802.1q switch into an access port on another and then plugging that switch into your physical switch. It's hard to say what it will do, but I don't think it's what you want.

    You CAN connect an adapter to any VLAN in both the host operating system and in all of the guests. But, you do that with virtual adapters ONLY in both the host operating system and in all of the guests. L3 information is ONLY set on a virtual adapter. Once the virtual switch protocol has bound to a physical adapter, tinkering with any L3 protocols on it will only break it. 

    If you are a raw newcomer to the Hyper-V virtual switch, then I have already written a couple of articles just for that.

    Short version: https://www.altaro.com/hyper-v/simple-guide-hyper-v-networking/

    Long version: https://www.altaro.com/hyper-v/the-hyper-v-virtual-switch-explained-part-1/

    How-tos: https://www.altaro.com/hyper-v/complete-guide-hyper-v-networking/


    Eric Siron
    Altaro Hyper-V Blog
    I am an independent contributor, not an Altaro employee. I accept all responsibility for the content of my posts. You accept all responsibility for any actions that you take based on the content of my posts.

    Tuesday, June 25, 2019 10:04 PM
  • Quite good articles. I'll validate this when I get home.

    As i continue to digest this it looks like the vSwitch handles VLANs automaticially.  If I want to have the host have a L3 interface on 2 VLANs how would I accomplish that when the articile indicates I only need to create one vSwitch for all VLANs.

    Also, since I'm using tagging on VLAN 1 on the physical NIC I'm guessing that also implies that I need to enable tagging on all guest VMs. If that is a correct assumption then I'll make that change.  

    Is it possible to have this topology?

    1 Physical NIC
    VLAN 1 (tagged or untagged on the physical wire) vSwitch shared with host OS & all guests
    VLAN 2 (tagged) only used by host os

    Wednesday, June 26, 2019 1:05 PM
  • Sure, you can have that topology.

    The Hyper-V virtual switch does not allow you to tinker with its "access" or "trunk" ports like a physical switch does. You make those kinds of changes on virtual adapters instead. Otherwise, it is conceptually the same as a physical switch. Just imagine that you've converted your physical NIC into a multi-port switch. From there, it's pretty easy to understand.

    Start with cleaning your physical NIC's network settings back to defaults -- no logical adapters or VLAN IDs or anything at all. Next, create a new virtual switch on the physical adapter.

    By default, Windows will create a virtual adapter named after the virtual switch. Since I always use PowerShell to create a virtual switch and I always specify "-AllowManagementOS $false", then I have to create one manually with Add-VMNetworkAdapter. Since you want two connections in your management OS, then you have to do that at least once anyway. Once you have the management virtual adapters, then you place them in VLANs.

    I have full instructions with examples in the third linked article, so I will just give you a starting framework with some incomplete commands:

    New-VMSwitch -Name vSwitch -AllowManagementOs $false ... (additional info, included desired physical adapter)
    Add-VMNetworkAdapter -ManagementOS -Name "VLAN1" ...
    Add-VMNetworkAdapter -ManagementOS -Name "VLAN2" ...
    Set-VMNetworkAdapterVlan -ManagementOS -VMNetworkAdapterName "VLAN1" -Access -VLANId 1 ... (I think I forgot something)
    Set-VMNetworkAdapterVlan -ManagementOS -VMNetworkAdapterName "VLAN2" -Access -VLANId 2 ... (I think I forgot something)

    I wrote that from memory so I know that I didn't get all of the parameters and I might have made some minor typos on the parameters that I did remember. This isn't the ONLY way to do it, but it will give you exactly what you asked for. You will still need to add IP information on each of those adapters. You can do that the traditional way (GUI or netsh) or with New-NetIPAddress. <insert all of the warnings about multi-homed systems and DNS registration blah blah etc etc ad nauseum>

    Then, when you create VMs, you set their virtual NICs to whatever VLAN you want them to participate in. You can do that in Hyper-V Manager if you'd rather not use PowerShell.

    I do want to comment on one thing:

    VLAN 1 (tagged or untagged on the physical wire) vSwitch shared with host OS & all guests

    There is no "sharing". I know that the commands and GUI imply that, but they're wrong. ONLY create an adapter for the management OS if it requires its own L3 endpoint in that VLAN. You do NOT need a virtual adapter in the management OS for the VMs to communicate on any given VLAN. EVERYBODY "plugs in" to the same virtual switch, and the switch handles the tagging. It is perfectly acceptable to have a VLAN 1 vNIC in the management OS for that OS's communication purposes and then put all of the VMs into VLANs 2 and 21 and 80 and 2057 and whatever else you need.


    Eric Siron
    Altaro Hyper-V Blog
    I am an independent contributor, not an Altaro employee. I accept all responsibility for the content of my posts. You accept all responsibility for any actions that you take based on the content of my posts.

    • Marked as answer by MrPaulAR Wednesday, June 26, 2019 5:08 PM
    Wednesday, June 26, 2019 1:55 PM
  • This is fantastic.  I'll vet it tonight and then give you the deserved internet points / credit for this solution.

    When I said sharing I meant the L2 broadcast domain for "VLAN 1" not the L3 IP address allowing the host OS and VMs to be on the same subnet.  This is what you defined in your article and commands above so I should be good.

    Wednesday, June 26, 2019 2:54 PM
  • When I said sharing I meant the L2 broadcast domain for "VLAN 1" not the L3 IP address allowing the host OS and VMs to be on the same subnet.

    Yep, I figured that you didn't mean sharing the L3. Where the Hyper-V virtual switch sends people sideways A LOT is that they create virtual adapters in the management OS for specific VLANs when they don't need one. I have made that mistake and people a lot smarter than me have made that mistake, so I always try to go a couple of extra steps to make it clear. I think that we've all been trained by physical switch manufacturers and other hypervisor vendors to feel that we have to do something to make a VLAN available to VMs. But, we don't. It just works.


    Eric Siron
    Altaro Hyper-V Blog
    I am an independent contributor, not an Altaro employee. I accept all responsibility for the content of my posts. You accept all responsibility for any actions that you take based on the content of my posts.

    Wednesday, June 26, 2019 3:21 PM
  • Worked like a charm.  I did get some errors when creating the vNICs but as far as I can tell everything is working fine.  At least on the host OS side of things.

    PS C:\WINDOWS\system32> Add-VMNetworkAdapter -ManagementOS -Name 'vSwitch_VLAN_1'                                       Add-VMNetworkAdapter : Failed while adding virtual Ethernet switch connections.                                         The automatic Internet Connection Sharing switch cannot be modified.                                                    At line:1 char:1                                                                                                        + Add-VMNetworkAdapter -ManagementOS -Name 'vSwitch_VLAN_1'
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        + CategoryInfo          : InvalidArgument: (:) [Add-VMNetworkAdapter], VirtualizationException
        + FullyQualifiedErrorId : InvalidParameter,Microsoft.HyperV.PowerShell.Commands.AddVMNetworkAdapter

    Wednesday, June 26, 2019 5:27 PM