none
On Hyper-V machine, multiple VLAN trunked, with one NIC. [Solved] RRS feed

  • Question


  • I try to have one Hyper-V VM in two VLANs, with only one network card, trunked on the link going to the switch.

    I've one switch CISCO. Here is it's config:

    interface FastEthernet0/1
     switchport mode trunk
    !
    interface FastEthernet0/8
     switchport access vlan 2
     switchport mode access
    !
    interface FastEthernet0/9
     switchport access vlan 3
     switchport mode access
    !
    interface FastEthernet0/10
     switchport access vlan 240
     switchport mode access

    I've a physical machine (named PC1) (Win 10 Pro) plugged in port fa0/1. This machine owns Hyper-V. In Hyper-V, I've a VM named "my_vm".

    In Hyper-V, I've done:

    Get-VMNetworkAdapter -VMName my_vm | Where-Object -Property MacAddress -eq "0000006CA095" | Set-VMNetworkAdapterVlan -Trunk -AllowedVlanIdList "2-3" -NativeVlanId 240

    MAC address seems to be good. I've verified and obtained:

    PS C:\> Get-VMNetworkAdapterVlan

    VMName           VMNetworkAdapterName Mode     VlanList
    ------           -------------------- ----     --------
    my_vm            Carte réseau         Trunk    240,2-3


    I've an other physical machine (named PC2).

    "my_vm" and PC2 are on the same IPv4 network (192.168.0.1/24 and 192.168.0.2/24).

    "my_vm" is always plugged on port fa0/1 on the switch.

    When I plug PC2 on port fa0/10 (mode access, VLAN 240): "my_vm" and PC2 are pinging themselves.

    When I plug PC2 on port fa0/8 (mode access, VLAN 2), or on port fa0/9 (mode access, VLAN 3): "my_vm" and PC2 can't ping themselves.

    Hyper-V VM "my_vm" can be a Win 10 Pro or a Debian, the result is the same.

    On physical machine PC1, I've two physical NIC (Intel I219V and TP-Link TG-3468 - Realtek in fact): the result is the same. "Priority and VLAN" is "Enabled" on this two NIC.


    TAG seems to be good when arriving on VM: if I DON'T use

    "Get-VMNetworkAdapter -VMName my_vm | Where-Object -Property MacAddress -eq "0000006CA095" | Set-VMNetworkAdapterVlan -Trunk -AllowedVlanIdList "2-3" -NativeVlanId 240"

    and, for VM "my_VM", for it's network card (an external switch to NIC in fact), if I set "Activate virtual LAN identification" > VLAN 2, "my_vm" and PC2 plug on port fa0/8 (VLAN 2 - access) are pinging themselves.

    If I set "Activate virtual LAN identification" > VLAN 3, "my_vm" and PC2 plug on port fa0/9 (VLAN 3 - access) are pinging themselves.

    I don't know how to moving forward.

    Thanks for all.

    Best regards.





    • Edited by Boucherle Friday, July 5, 2019 8:18 AM
    Thursday, June 13, 2019 2:40 PM

All replies

  • This is not the proper approach to give a VM an endpoint presence in multiple VLANs. Trunking into a VM is ONLY useful if it contains software that can operate on tagged Ethernet frames, which is rare. The standard configuration of the networking stacks in Windows and Ubuntu will drop tagged frames as malformed. What you have now is exactly the same thing that you would have if you directly plugged a physical installation into a trunked physical switchport.

    The VM needs one vNIC per VLAN that you want it to have presence in. Each vNIC needs to be configured in access mode for its respective VLAN. The physical switchport used by the physical adapter that hosts the virtual switch must be configured in trunk mode with the necessary VLANs allowed. You should avoid native VLANs, but if you insist on using them, then you must leave any vNICs for that VLAN in untagged mode.


    Eric Siron
    Altaro Hyper-V Blog
    I am an independent contributor, not an Altaro employee. I accept all responsibility for the content of my posts. You accept all responsibility for any actions that you take based on the content of my posts.

    Thursday, June 13, 2019 7:47 PM
  • Thanks for your quick and complete answer. I appreciate a lot your explanations of main principels.

    You wrote "The VM needs one vNIC per VLAN that you want it to have presence in. ".

    Does'it means:if I need 2 VLANs:

     - the VM will have two vNIC, and so two network cards in it OS,

     - so the VM will have inevitably two IPv4 adresses in two differents IPv4 networks, or it's possible to have the two IPv4 adresses in the same IPv4 network ?

    Thanks for all.

    Best regards.

    Thursday, June 13, 2019 8:21 PM
  • Correct on point 1.

    If you have two IPs in the same subnet but on adapters in different VLANs, you will have lots of problems. But, the technology will allow it.


    Eric Siron
    Altaro Hyper-V Blog
    I am an independent contributor, not an Altaro employee. I accept all responsibility for the content of my posts. You accept all responsibility for any actions that you take based on the content of my posts.

    Friday, June 14, 2019 2:26 AM
  • Hi ,

    Just checking in to see if the information provided was helpful.

    Please let us know if you would like further assistance.

    Best Regards,

    Candy


    Please remember to mark the replies as an answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com   

    Monday, June 17, 2019 3:55 AM
  • Hi ,

    You could mark the useful reply as answer if you want to end this thread up.

    If there is anything else we can do for you, please feel free to post in the forum.

    Best Regards,

    Candy


    Please remember to mark the replies as an answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com   

    Tuesday, June 18, 2019 9:11 AM
  • Hi,

    Excuse me. I don't have lot of time for this project. These last days, it was impossible for me to work on it. For working on this project, I'll hope to find one or two days not next week, but in two weeks.

    I've read the answer, and it was a lot helpfull. Excuse me not to have immediatly answer it was helpfull.

    It has helped me to finish successfully these tests, but I'd like to make some additional tests.

    In a few days, I hope it will be finished. I'll so come back to you and try to explain the solution (try to explain because there is: real machines with real NIC, Hyper-V VMs and NIC in Hyper-V manager, NIC in the VM. It will be easy not to explain clearly). I'l hope it will be however understandable and usefull for others people.

    Thanks for all, really.

    Best regards.

    Thursday, June 20, 2019 5:54 AM
  • Hi ,

    I will wait for your good news.

    If there is anything else we can do for you, please feel free to post in the forum.

    Best Regards,

    Candy


    Please remember to mark the replies as an answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com   

    Thursday, June 20, 2019 7:07 AM
  • I hope I won't forget anything, and try to be clear.

    The goal:
     - an Hyper-V virtual machine, will have many VLAN on one virtual NIC, and this virtual NIC bill be tagged.
     - this virtual NIC will be connected to a switch. This port will have multiple VLAN and vill tag frames.
     - a PC in one VLAN will be able to ping the below machine.
     - an other PC in an other VLAN will be able to ping the below machine too.

    But for testing, I will use pfsense, and finally each VLAN will have a different IPv4 network.

    Here is the switch configuration:
     - port number 1 is in all VLAN and is tagged,
     - port number 10 is in VLAN 10 not tagged,
     - port number 11 is in VLAN 20 not tagged,
     - port number 12 is in VLAN 30 not tagged.

    For a CISCO switch:

    ---------------------------------------
    interface FastEthernet0/1
     switchport mode trunk
    !
    interface FastEthernet0/10
     switchport access vlan 10
     switchport mode access
    !
    interface FastEthernet0/11
     switchport access vlan 20
     switchport mode access
    !
    interface FastEthernet0/12
     switchport access vlan 30
     switchport mode access
    ---------------------------------------

    PC-1 is a real Windows 10 machine (or Linux, no problem):
     - one NIC,
     - 172.16.0.1/16.

    PC-2 is a real Windows 10 Pro machine:
     - one NIC,
     - named, in this document "NIC-real-PC-2",
     - physical NIC is able to manage VLAN,
     - in NIC properties, "Priority and VLAN" is "Enabled",
     - no VLAN set in physical NIC.
     - plugged on switch port number one (trunk port).

    On PC-2, there is Hyper-V.

    In "Hyper-V manager", a virtual switch is set:
     - external switch,
     - named "ext-pc-2",
     - bind with "NIC-real-PC-2".
     - with valid IPv4 address (no 169): 172.16.0.2/16.
     - nothing is set for VLAN.

    In Hyper-V, there is a virtual machine PC-3:
     - Win 10 Pro,
     - one virtual NIC,
     - named in this document "NIC-virt-PC-3",
     - bind with external switch "ext-pc-2".

    When virtual machine PC-3 is working, it has one NIC:
     - named "NIC-OS-PC-3",
     - IPv4: 172.16.0.3/16,
     - no IPv6.
     - firewall desactivated.

    On PC-2, launch PowerShell in Administrative mode.

    We will now activate trunk on a virtual machine NIC (not for a switch, but for a NIC). The trunk will accept VLAN number 10 to number 20. The Native VLAN will be the number 30.

    Launch below command, in one time:

    Get-VMNetworkAdapter -VMName PC-3 | Where-Object -Property MacAddress -eq "00000000AB01" | Set-VMNetworkAdapterVlan -Trunk -AllowedVlanIdList "10-20" -NativeVlanId 30

     - pc-3 is the name of the virtual machine in hyper-v manager.
     - 00000000AB01 is the MAC Address of NIC-virt-PC-3 (the NIC card of the virtual machine pc-3).
     - 10-20: this NIC will accept VLAN from number 10 to number 20
     - 30: the native VLAN will be number 30. This number MUST be out of "10-20" range.

    No error occurs.

    You can see the result with:
    Get-VMNetworkAdapterVlan

    VMName               VMNetworkAdapterName Mode     VlanList
    ------               -------------------- ----     --------
    PC-3                 Nerwork Card         Trunk    30,10-20


    All is ready. We will test !

    Plug real machine on switch port number 1. Start real machine PC-2. Launch virtual machine PC-3.

    Plug real machine PC-1 on switch port number 12 (VLAN 30).
    Try to ping PC-3: ping 172.16.0.3.
    IT WORKS !!!!!!

    Plug real machine PC-1 on switch port number 10 (VLAN 10).
    Try to ping PC-3: ping 172.16.0.3.
    It WON'T work...

    Plug real machine PC-1 on switch port number 11 (VLAN 20).
    Try to ping PC-3: ping 172.16.0.3.
    It WON'T work...

    If PC-1 is on VLAN 30 (native VLAN), it works !
    But if PC-1 is on VLAN 10 or 20 (trunked VLAN), it doesnt' works !

    Strange, weird.

    Stop PC-3.

    Create a new virtual machine PC-pfsense with pfsense, with same properties as PC-3:
     - three virtual NIC,
     - one NIC (for pfsense LAN) bind with external switch "ext-pc-2".
     - one NIC (for pfsense DMZ) bind with internel switch "int-pc-DMZ".

    Start PC-pfsense and set IPv4:
     - NIC LAN: 172.16.0.4/16
     - NIC DMZ: 192.168.0.1/24
     - Create a firewall rule on NIC LAN: "ALL" is allowed.
     - Create a firewall rule on NIC DMZ: "ALL" is allowed.

    Create an other virtual machine PC-DMZ Windows 10 Pro (or Linux):
     - one virtual NIC,
     - bind with internel switch "int-pc-DMZ".

    Start PC-DMZ and set IPv4:
     - NIC: 192.168.0.2/24
     - verify you are able to connect, with web browser, to pfsense and manage it.

    On real machine, in admnistrative mode, with powershell, launch below command, in one time:

    Get-VMNetworkAdapter -VMName PC-pfsense | Where-Object -Property MacAddress -eq "00000000AB02" | Set-VMNetworkAdapterVlan -Trunk -AllowedVlanIdList "10-20" -NativeVlanId 30

     - pc-pfsense is the name of the virtual machine in hyper-v manager.
     - 00000000AB02 is the MAC Address of NIC-LAN (the LAN NIC card of the virtual machine pc-pfsense).
     - 10-20: this NIC will accept VLAN from number 10 to number 20
     - 30: the native VLAN will be number 30.

    No error occurs.

    You can see the result with:
    Get-VMNetworkAdapterVlan

    VMName               VMNetworkAdapterName Mode     VlanList
    ------               -------------------- ----     --------
    PC-pfsense           Nerwork Card         Untagged
    PC-pfsense           Nerwork Card         Trunk    30,10-20
    PC-pfsense           Nerwork Card         Untagged

    PC-pfsense had three NIC, so we see three NICs. But only one NIC (LAN) will be tagged.


    On PC-DMZ, configure VLAN for PC-pfsense:
     - Interfaces > Assignments > VLANs >
    + Add > Parent Interface: "LAN" > VLAN Tag: "10" > VLAN Priority: "0" > Description: "VLAN-10" > Save.
    + Add > Parent Interface: "LAN" > VLAN Tag: "20" > VLAN Priority: "0" > Description: "VLAN-20" > Save.

    - then Interfaces > Assignments > :
    Available network ports: over line "VLAN-10" > "+Add" >
    Available network ports: over line "VLAN-20" > "+Add" >
    Save.

    Then: Interfaces > Assignments > :
    Click over word "OPT2" ("VLAN-10") >
    - General Configuration > Check the box "Enabled" > Description = "VLAN_10" > IPv4 Configuration Type: "Static IPv4" > IPv6 Configuration Type: "None" > Mac address: nothing > MTU = nothing > MSS = nothing > Speed & duplex: "Default" >

    - Static IPv4 configuration > IPv4 Address: "172.17.0.4/8" (seventeen)> IPv4 Upstream gateway = None >

    Remember that LAN NIC IPv4 is 172.16.0.4/16 (sixteen). Here, NIC for VLAN 10 will be in an other IPv4 network.

    - Reserved Networks > Block private networks: not checked > Block bogon networks: not checked

    - Save.
    - Apply Changes.


    Click over word "OPT3" ("VLAN-20") >
    - General Configuration > Check the box "Enabled" > Description = "VLAN_20" > IPv4 Configuration Type: "Static IPv4" > IPv6 Configuration Type: "None" > Mac address: nothing > MTU = nothing > MSS = nothing > Speed & duplex: "Default" >

    - Static IPv4 configuration > IPv4 Address: "172.18.0.4/8" (eighteen)> IPv4 Upstream gateway = None >

    - Reserved Networks > Block private networks: not checked > Block bogon networks: not checked

    - Save.
    - Apply Changes.

    If you want, you can now create a DHCP server for each VLAN NIC VLAN_10 and VLAN_20: Services > DHCP Server.

    Create a firewall rule on NIC VLAN_10: "ALL" is allowed.
    Create a firewall rule on NIC VLAN_20: "ALL" is allowed.

    Verify LAN NIC use external switch ext-pc-2. Verify that NIC-real-PC-2 is plug on switch port number one (trunk).

    Open a session on PC-1.

    Set IPv4 to 172.16.0.20/16. Plug PC-1 to switch port number 12 (VLAN 30), and try to ping NIC LAN 172.16.0.4: it will work.

    Now, set IPv4 to 172.17.0.20/16. Plug PC-1 to switch port number 10 (VLAN 10), and try to ping NIC VLAN 10 172.17.0.4: it will work.

    Now, set IPv4 to 172.18.0.20/16. Plug PC-1 to switch port number 11 (VLAN 20), and try to ping NIC VLAN 20 172.18.0.4: it will work.

    There is probably much easier to to do, but it's working.

    Friday, July 5, 2019 8:04 AM