Network isolation using PVLANs in HyperV 3.0

Network isolation using PVLANs in HyperV 3.0

imageWith PVLANs, we can overcome some of the scalability limitations of VLANs by creating (sub) VLANs within VLANs. This allows us to partition broadcast domain, segregate the VMs traffic from each other hence providing security. The segmentation happens on Layer 2. Hyperv 3.0 comes with HyperV Extensible Layer 2 switch which supports PVLANs and many more features.

PVLANs is configured on the port level and can be one of the three modes below:

        • Promiscuous Mode (P): Communicates with all ports in the PVLAN
          (Usually this port connects to router, firewall, or a gateway)
        • Isolated Mode (I): Communicates only with Promiscuous (P) ports in the PVLAN
          (usually connects to hosts)
        • Community Mode (C): Communicates with ports in the same community and any promiscuous ports in the PVLAN
          Well, it is confusing but a picture is worth a thousand words 🙂 Port modes and the communications between them can be seen below:


Ref: Picture (Philip Meyer – TechED 2012 slides)

If you want to create a demo, for example, you can use the cmdlets below: (if you are limited on the VMs, you can change their mode to see different scenarios. You can ping among the VMs to see the results…

Set-VMNetworkAdapterVlan -vmname PurpleVM1 -Isolated -PrimaryVlanId 2 –SecondaryVlanId 4
Set-VMNetworkAdapterVlan -vmname BlueVM1-promiscious -PrimaryVlanId 2 –SecondaryVlanIdList 4-5
Set-VMNetworkAdapterVlan -vmname OrangeVM1 -Community -PrimaryVlanId 2 -SecondaryVlanId 5


Before and after get/set VMNetworkAdapterVlan:



to set it back: (btw, you may see your mode as “access”. I had Ubuntu guests to play with and with no Integration so I think that is the reason why it is listed as untagged)


Bulent Tolu

Response to "Network isolation using PVLANs in HyperV 3.0"

  • Question…. What happens if you have physical servers that are in the same primary VLAN but not part of PVLAN can they still talk with each other?

  • Leave a Reply

    Your email address will not be published. Required fields are marked *

    This site uses Akismet to reduce spam. Learn how your comment data is processed.

    Translate »