Network isolation using PVLANs in HyperV 3.0

imageWith PVLANs, we can overcome some of the scalability limitations of VLANs by creating (sub) VLANs within VLANs. This allows us to partition broadcast domain, segregate the VMs traffic from each other hence providing security. The segmentation happens on Layer 2. Hyperv 3.0 comes with HyperV Extensible Layer 2 switch which supports PVLANs and many more features.

PVLANs is configured on the port level and can be one of the three modes below:

        • Promiscuous Mode (P): Communicates with all ports in the PVLAN
          (Usually this port connects to router, firewall, or a gateway)
        • Isolated Mode (I): Communicates only with Promiscuous (P) ports in the PVLAN
          (usually connects to hosts)
        • Community Mode (C): Communicates with ports in the same community and any promiscuous ports in the PVLAN
          Well, it is confusing but a picture is worth a thousand words 🙂 Port modes and the communications between them can be seen below:

image

Ref: Picture (Philip Meyer – TechED 2012 slides)

If you want to create a demo, for example, you can use the cmdlets below: (if you are limited on the VMs, you can change their mode to see different scenarios. You can ping among the VMs to see the results…

Set-VMNetworkAdapterVlan -vmname PurpleVM1 -Isolated -PrimaryVlanId 2 –SecondaryVlanId 4
Set-VMNetworkAdapterVlan -vmname BlueVM1-promiscious -PrimaryVlanId 2 –SecondaryVlanIdList 4-5
Set-VMNetworkAdapterVlan -vmname OrangeVM1 -Community -PrimaryVlanId 2 -SecondaryVlanId 5

 

Before and after get/set VMNetworkAdapterVlan:

image

image

to set it back: (btw, you may see your mode as “access”. I had Ubuntu guests to play with and with no Integration so I think that is the reason why it is listed as untagged)

image

Bulent Tolu

Bulent Tolu

Sr. Systems Engineer at VMware
Bulent is an IT professional with Master's in MIS and 10-years of experience in broad range of Information Technologies. He is exposed to engineering/architecting, implementation/integration, and administration of various high-available IT systems and infrastructure. He has a passion to continually research, test and evaluate new technologies and follow industry best practices to secure and optimize IT systems. Currently, he lives in Istanbul and works as a Sr. Systems Engineer at VMware.
Bulent Tolu

One Thought on “Network isolation using PVLANs in HyperV 3.0

  1. Jacob on 21 August 2013 at 07:03 said:

    Question…. What happens if you have physical servers that are in the same primary VLAN but not part of PVLAN can they still talk with each other?

Leave a Reply

Your email address will not be published. Required fields are marked *

Post Navigation

Share
Translate »