Share via

nested virtualization VLAN problem

MarkosP 81 Reputation points
2021-01-08T13:29:20.273+00:00

Hi. I have a following setup:

  • physical Hyper-V Server 2019 server with a pNIC connected to a physical switch. There's a SET vSwitch in Hyper-V. The pNIC connects to a port on the pSwitch, which is configured in trunk mode with plenty of allowed VLANs and native VLAN 7. Virtual machines on this Hyper-V host work fine, connectivity is working as expected
  • there's a VM with nested virtualization enabled, it has Hyper-V Server 2019 installed and has a single vNIC connected to the vSwitch on the physical Hyper-V host, untagged, ie. no VLAN specified, MAC spoofing enabled.
  • inside the vHV host, there's a SET vSwitch created on top the vNIC with managementOS vNIC (untagged, ie. connects to the native VLAN 7).

So far it works, the vHV host has connectivity to the managment network (VLAN 7). Now when I create a VM on the vHV, connect it to the vSwitch and tag with correct VLAN (say 9 in this example), it has no connectivity to the specified VLAN. I guess this is expected, because the vNIC of the vHV on the pServer is untagged. So I thought this would be fixed by changing the vNIC of the vHV VM to trunk, with allowed VLANs 7 and 9 and native VLAN 7 (like this: (Get-VMNetworkAdapter -VMName 'vHV') | Set-VMNetworkAdapterVlan -Trunk -AllowedVlanIdList "7,9" -NativeVlanId 7). However, this doesn't work and the managementOS vNIC inside the vHV loses connectivity. I've tried various things like also tagging the managementOS vNIC inside vHV (Set-VMNetworkAdapterVlan -ManagementOS -VMNetworkAdapterName "Mgmt" -Access -VlanId 7), but couldn't figure out a way to make it work.

The only way I could make it work is:

  • add 2nd vNIC to the vHV VM and then use 1 vNIC purely for management (replacement for the mgmtOS vNIC) - untagged, and 2nd NIC purely for the VM connectivity (vSwitch, VMs with vNICs tagged with VLAN 9)
  • however the only way this works for me is also by configuring the vNIC of the vHV which is to be used for the vSwitch inside vHV like I previously mentioned ((Get-VMNetworkAdapter -VMName 'vHV')[0] | Set-VMNetworkAdapterVlan -Trunk -AllowedVlanIdList "7,9" -NativeVlanId 7), which is really odd to me, because basically I have to allow the native VLAN 7 on this port too)

Surely there must be a better way to make this work without that ugly workaround.
Any help is appreciated.

Windows for business Windows Client for IT Pros Storage high availability Virtualization and Hyper-V
0 comments

3 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Mico Mi 1,936 Reputation points
    2021-01-11T06:27:35.157+00:00

    Hi,
    I found a similar thread and I hope it could help at your side:

    By default the Hyper-V NICs drop all VLAN tags comming from within the VM.
    To allow forwarding VLAN tagged packets use this powershell command on the physical host targeting the NICs of all your virtual hosts:
    Set-VMNetworkAdapterVlan -Trunk -AllowedVlanIdList "0-4093" -VMName "vHost1" -VMNetworkAdapterName "Vhost1Nic" -NativeVlanId 0
    This will set the vHosts NIC to trunk mode and allow passing through all VLANs (4093 is the highest accepted).
    You can also allow just specific VLANs using a list for AllowedVlanIdList (e.g. "3,8,234")

    Thanks for your time!
    Best Regards,
    Mico Mi

    -----------------------------

    If the Answer is helpful, please click "Accept Answer" and upvote it.
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

  2. MarkosP 81 Reputation points
    2021-01-14T12:55:14.91+00:00

    I've seen the thread you linked earlier before posting my question as it is similar, but doesn't really solve my problem.
    And I've already tried the suggested configuration, except I cannot use 0 as native VLAN, because it has to be VLAN 7.

    0 comments
  3. Eric Siron 1,586 Reputation points MVP
    2021-01-14T20:26:31.17+00:00

    I've read this a couple of times, so I think I understand what you've done, but please correct me in any place that I'm off.

    The physical switch to first tier virtual switch uses a native VLAN of 7 and all other allowed VLANs are tagged, right?
    Then the first tier virtual switch to the second tier virtual switch uses a native VLAN of 7 and allows VLANs 7 & 9, also right?
    vNICs attached to the second tier virtual switch tagged for VLAN 9 work, but VLAN 7 doesn't work, correct?

    I'm thinking that because the physical<->first tier connection has specified its native VLAN as 7 that the first<->second tier gets confused. If a frame comes into the physical switch tagged with VLAN 7, then it will untag it before it sends it to this vNIC, so it shows up as untagged, not as being in the native VLAN (7). I don't believe that I've ever tried changing around the native VLAN for a nested virtual switch so I'm not entirely sure of its behavior when passing frames between a trunked uplink and a trunked virtual port.

    What happens if you remove the native VLAN on the second tier and set the management adapter to untagged? What about removing the native VLAN and leaving the management adapter tagged in VLAN 7?

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.