This is the fourth in a series of posts about my new dual-Xeon Citrix lab project. Before creating virtual machines within Hyper-V, it is worth spending some time to understand Hyper-V networking and options to achieve good server performance and resiliency.
More from the Lab!
- Building a Dual-Xeon Citrix Lab: Part 1 – Considerations
- Building a Dual-Xeon Citrix Lab: Part 2 – Hardware
- Building a Dual-Xeon Citrix Lab: Part 3 – Windows and Hyper-V installation
- Lab: Part 4 – Hyper-V Networking
- Lab: Part 5 – NetScaler 11 Architecture and Installation
- Lab: Part 6 – Configure NetScaler 11 High Availability (HA Pair)
- Lab: Part 7 – Upgrade NetScalers in HA
- Lab: Part 8 – Save, Backup and Restore NetScaler 11 configuration
- Lab: Part 9 – Install Microsoft SQL Server 2014 (Dedicated)
- Lab: Part 10 – Citrix Licensing demystified
- Lab: Part 11 – Install XenDesktop 7.6
- Lab: Part 12 – Setup NetScaler 11 Clustering (TriScale)
- Lab: Part 13 – Configure Published Applications with XenDesktop 7.6
- Lab: Part 14 – Citrix StoreFront 3.x
- Lab: Part 15 – Configure SSL in StoreFront
- Lab: Part 16 – StoreFront load balancing with NetScaler (Internal)
- Lab: Part 17 – Optimize and secure StoreFront load balancing with NetScaler (Internal)
- Lab: Part 18 – Secure LDAP (LDAPS) load balancing with Citrix NetScaler 11
- Lab: Part 19 – Configure Active Directory authentication(LDAP) with Citrix NetScaler 11
- Lab: Part 20 – RDP Proxy with NetScaler Unified Gateway 11
- Lab: Part 21 – Secure SSH Authentication with NetScaler (public-private key pair)
- Lab: Part 22 – Ultimate StoreFront 3 customization guide
- Lab: Part 23 – Securing Citrix StoreFront DMZ deployment
- Lab: Part 25 – Upgrade to Citrix StoreFront 3.7
- Lab: Part 26 – Install/Upgrade Citrix XenDesktop 7.11
- Lab: Part 27 – Getting started with Microsoft Azure
- Lab: Part 28 – Getting started with Citrix Cloud
- Lab: Part 29 – Configure XenDesktop And XenApp Service with Microsoft Azure and Citrix Cloud
- Lab: Part 30 – Configure Identity and Access Management in Citrix Cloud with Microsoft Azure AD
- Lab: Part 31 – Configure NetScaler Gateway Service for XenApp and XenDesktop Service in Citrix Cloud
- Lab: Part 32 – Configure MCS with XenDesktop and XenApp Service in Citrix Cloud
- Lab: Part 33 – Configure Azure Quick Deploy with XenDesktop and XenApp Service in Citrix Cloud
- Lab: Part 34 – Configure Site Aggregation for Citrix Workspace in Citrix Cloud with XenDesktop 7.x located on-premises
- Lab: Part 35 – Configure a Hybrid NetScaler MA Service environment in Citrix Cloud
- Lab: Part 36 – Configure ShareFile in Citrix Cloud with StorageZones on-premises
- Lab: Part 37 – Upgrade NetScaler HA pair with NetScaler MA Service in Citrix Cloud
- Lab: Part 38 – How to Configure Full VPN Setup with Citrix NetScaler in CLI
- Lab: Part 39 – Configure Multi-Factor Authentication with Azure MFA Service and Citrix Workspace
- Lab: Part 40 – Getting Started with Citrix App Layering
- Lab: Part 41 – Configure Citrix App Layering
- Lab: Part 42 – OS Layer with Citrix App Layering
- Lab: Part 43 – Platform Layer with Citrix App Layering
- Lab: Part 44 – Application Layers with Citrix App Layering
- Lab: Part 45 – Layered Image Deployment with Citrix App Layering
- Lab: Part 46 – Elastic deployment with Citrix App Layering
- Lab: Part 47 – User Layers with Citrix App Layering
- Lab: Part 48 – Windows 10 and PVS with Citrix App Layering
Microsoft Hyper-V is a Type 1 hypervisor that runs directly on the hardware of the host and shares its resources between multiple virtual machines. To be able to configure your host and your virtual machines, there needs to be a basic understanding of what’s going on at the network level. The way networking is configured can have a big impact on the performances and the resiliency of your infrastructure.
In this post we will review the basics of networking, the Hyper-V concepts (partitions, virtual switches, access/trunk mode, tagged/untagged). We will also spend some time working with PowerShell and Microsoft Hyper-V.
What is virtual networking?
Virtualization is not only reserved for servers; the same concept applies to switches, routers, etc. Virtual networks respect the same rules as regular networks and can be segmented into Local Area Networks (LANs) and Wide Area Networks (WANs), but also logically with Virtual Local Area Networks (vLANs).
The goal of network virtualization is mostly to reduce hardware costs and maintenance by using more of its capacity.
Fundamentals
Remember the fundamentals of networking?
- Layer 1 – Physical
Physical network adapter, switches, Ethernet cables, etc. - Layer 2 – Data Link
Transfers data between WAN and LAN. Ethernet frame, MAC addresses, Virtual Switches, etc. - Layer 3 – Network
Addressing, routing and traffic control. Routers, TCP/IP. - Layer 4 – Transport
TCP/UDP, etc. - Layer 5 – Session
RPC, etc. - Layer 6 – Presentation
Data encoding/encryption/multiplexing, etc. - Layer 7 – Application
HTTP, FTP, etc.
These layers are part of the Open Systems Interconnection (OSI) model. Microsoft Hyper-V works between Layers 1 and 4.
Lab Network design
Below is the network design of the lab.

As discussed in previous posts, the host has two physical network adapters, which is the minimum recommended by Microsoft for Hyper-V. In that case, it is best to dedicate one adapter to remote connections and one adapter to Hyper-V. This will offload the network traffic from the host to a different adapter, while network traffic related to the virtual machines flows through the dedicated adapter.

The physical network adapter called VM (192.168.1.10) will be dedicated to Hyper-V.
The physical network adapter called RDP (192.168.1.12) will be dedicated to remote connections.

On the physical network adapter assigned to remote connections, Hyper-V extensible virtual switch is disabled to ensure that Hyper-V does not use this adapter. It also improves performances by reducing overhead.
Note: Microsoft does not support wireless network adapters with Hyper-V.
Partitions
Running on top of the hypervisor, there are two different partitions.
Parent/Root
The host, the physical adapter associated with Hyper-V(VM) and the virtual switches are part of the Parent Partition. It hosts the Virtualization Stack and manages drivers, lifecycle, power management, etc. of the guest virtual machines.
Note: Only one parent partition per Hyper-V host.
Child/Guest
Virtual machines and their associated virtual network adapters are part of the child partitions. Each operating system resides on its own partition. To communicate with the physical network, the guest partition does not communicate directly with the physical network adapter, but passes through the virtual network adapter and the virtual switch, and finally ends up on the physical network adapter. Virtual network adapters are configured exactly as physical network adapters.
Note: Child partitions are unlimited.
Virtual Switches in Hyper-V
Switches are (with routers) the base of a network. They create interconnections with computers, servers, printers, etc. Virtual Switches are nothing more than software programs working at the Level 2 (OSI) that allow virtual machines to communicate together, serve as a link between the virtual network and the physical network and allow multiple virtual machines to use the same physical network adapter. Virtual Switches have the same behavior as a physical switches, except that you can add and remove ports whenever you want because everything is virtual.
Virtual Switches also keep a MAC table with the list of all MAC addresses from virtual machines connected to them.
Virtual switches are part of the parent partition.
The best practice is to have as few virtual switches as possible. For a small deployment or a small lab, one virtual switch should be enough.
Network isolation or offloading the traffic from the physical network adapter are valid reasons to have multiple virtual switches. Some virtual machines don’t need to communicate with the physical network and therefore don’t need to use the same virtual switch. That is the case in my lab because only the Netscalers (located in the DMZ) need to access the physical network. All my other servers will be located in a private network (LAN) and use the Netscalers as their gateway to go on the physical network or internet.
To be able to perform that operation, my Netscaler virtual machines will have two virtual network adapters bound to two different virtual switches. The first network adapter will be bound to the external virtual switch and the second network adapter will be bound to the private virtual switch. All the servers in the private network will be able to communicate together as connected to a common private virtual switch.
To create a new virtual switch, open Hyper-V Manager or virtmgmt.msc.

On the Actions panel on the right, select Virtual Switch Manager.

Select New virtual network switch on the left panel.

There are three options to isolate the traffic:
- External (less secure)
Communication is allowed between the virtual machines, the host, and the physical network (internet). It requires a dedicated physical network adapter on the host (one external virtual switch per physical network adapter). The physical network adapter becomes an “uplink” when assigned to an external virtual switch.
- Internal (secure)
Communication is only allowed between the virtual machines and the parent Hyper-V partition (Unlimited). VMs on the switch can communicate to each other, but additionally can communicate to the Hyper-V host itself.
- Private (highly secure)
Communication is only allowed between the virtual machines on the same host. They cannot communicate with the parent Hyper-V partition (Unlimited). The Private virtual switch cannot communicate to any network outside of the host, either.
As discussed previously, I need to create two virtual switches to allow:
- Communication between the Netscalers and the physical adapter -> external virtual switch
- Communication between the virtual machines -> private virtual switch
First, we will create the external virtual switch and the private virtual switch.
Add a new External Virtual Switch
The virtual switch is mapped to my physical network adapter dedicated for my virtual machines (DMZ). It will bridge my Internet connection.
Select External. Then select Create Virtual Switch.

The switch is connected to my physical NIC (VM).

The option Allow management operating system to share this network adapter is not ticked in order to block the operating system to see the virtual switch.Ticking this option will create a virtual switch port for the management operating system and connects it to the external virtual switch.
On the network adapter, nothing is checked except Hyper-V Extensible Virtual Switch. It means that this network adapter is now an “uplink” and is now managed by Hyper-V.

Once the external virtual switch is created, there is absolutely nothing connected to the physical adapter except the virtual switch. There is no exception to this. Everything will go through the new virtual switch. Even if the parent partition can see the physical network adapter, it will communicate through the virtual switch.
Add a new Private Virtual Switch
To create the second virtual switch, select Private and Create Virtual Switch.

There is no configuration for this virtual switch.

The private virtual switch will simulate the LAN. Most of the servers in the lab will be connected to this network and won’t have access to the physical network.
To assign a virtual switch to a virtual machine, open Settings, then select Network Adapter and select the virtual switch in the drop down list.

If you need a virtual machine to be connected to multiple virtual networks (Netscalers in my lab), then you must simply create one or more additional virtual network adapters by using the Add Hardware option at the top of the Settings dialog box.

Modes and vLAN
It is possible to configure a virtual switch port in two modes: Access Mode or Trunk Mode. Both modes are related to Virtual LAN.
Virtual LAN
Virtual LAN (implemented through software) is a logical group of devices that appear to be on the same LAN even if they are not in the same segment. The location of the devices does not matter if connected to a vLAN. This is not a new concept, it has been around for a long time on physical networks to avoid broadcast and congestion issues.
vLANs are isolated by nature, as it is not possible to jump from a vLAN to another vLAN.
The only physical requirement is to make sure that your hardware (switches, network adapters, etc) is compatible with vLANs. As expected, Microsoft has included vLAN support in its virtual switch implementation.
It is recommended to configure vLANs rather than adding more virtual switches in order to isolate the network traffic.
vLAN ID
Virtual LAN ID (vLAN ID) is a number (int) identifying the network which is encapsulated within the Ethernet frame. In Hyper-V, you can assign vLAN IDs to ports on the virtual switches. Virtual machines connected to ports with the same vLAN ID will share the same segment.
Access Mode
By default a virtual switch is configured in Access Mode with untagged vLANs configured on the ports.
Access Mode with Untagged Ports
When there is no vLAN specified on the virtual switch port (default configuration), the default configuration of Hyper-V is to mark the port as untagged. The port and the frames will be untagged.
Access Mode with Tagged Ports
If the port is configured with a specific vLAN, it will become member of that vLAN but the frame stays untagged. The port will be tagged with a vLAN ID but the frames will remain untagged. The virtual switch only allows communication between virtual machines connected to ports tagged with the same vLAN ID.
If there is something to remember in this section, it is that the frames will always remain untagged when the virtual switch port is configured in Access Mode, vLAN ID tagged or not.
To tag a vLAN ID on a virtual switch port, open Settings of the virtual machine.
Select Enable virtual LAN Identification and enter the vLAN ID.

This action will configure the port associated with the virtual machine on the virtual switch.
Before
1 |
Set-VMNetworkAdapterVlan <VMNAME> -Access -Untagged |
After tagging the port
1 |
Set-VMNetworkAdapterVlan <VMNAME> -Access -VlanId 2 |
Below is detailed configuration. You can see that the vLAN ID associated with virtual machine port on the virtual switch is vLAN ID 2.

The limitation of this configuration is that you can only assign one vLAN ID to a port on the virtual switch. To be able to assign more than one vLAN ID, you need to configure the port in Trunk Mode.
Trunk Mode
Trunk Mode provides the ability for a virtual switch port and the virtual machine connected to it to receive traffic from multiple vLANs.
Configuring trunk mode for a virtual network adapter is not supported from the Hyper-V Manager; only a single VLAN can be configured but PowerShell is here to save us all.
1 |
Set-VMNetworkAdapterVlan –VMName <VMNAME> –Trunk –AllowedVlanIdList <XX-XX> –NativeVlanId XX |
The native vLAN ID must not be in the scope of the allowed vLAN ID list.
The example below will enable the virtual machine DC to send and receive traffic on vLAN 2 to 10. If no vLAN is specified in the network packet, it will be processed on vLAN 99.

The Trunk mode configuration is not visible in the Hyper-V GUI.

PowerShell
There are many PowerShell commands to manage Hyper-V. Below are few useful ones you need to know:
Show the physical network adapters
1 |
Get-NetAdapter |
Add external virtual switch
1 2 3 |
$VM = Get-NetAdapter -Name VM New-VMSwitch -Name DMZ -NetAdapterName $ethernet.Name -AllowManagementOS $false -Notes 'External Virtual Switch' |
Add internal virtual switch
1 |
New-VMSwitch -Name internalSwitch -SwitchType Internal -Notes 'Internal Virtual Switch' |
Add private virtual switch
1 |
New-VMSwitch -Name LAN -SwitchType Private -Notes 'Private Switc' |
Display all virtual switches
1 |
Get-VMSwitch |
Display all virtual switches with all details
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 |
Get-VMSwitch | select * ComputerName : SRV Name : DMZ Id : b46b3e85-a681-4a6b-a404-99ce67702633 Notes : SwitchType : External AllowManagementOS : False NetAdapterInterfaceDescription : Intel(R) I210 Gigabit Network Connection AvailableVMQueues : 0 NumberVmqAllocated : 0 IovEnabled : False IovVirtualFunctionCount : 0 IovVirtualFunctionsInUse : 0 IovQueuePairCount : 0 IovQueuePairsInUse : 0 AvailableIPSecSA : 0 NumberIPSecSAAllocated : 0 BandwidthPercentage : 10 BandwidthReservationMode : Absolute DefaultFlowMinimumBandwidthAbsolute : 100000000 DefaultFlowMinimumBandwidthWeight : 0 Extensions : {Microsoft NDIS Capture, Microsoft Windows Filtering Platform} IovSupport : False IovSupportReasons : {This network adapter does not support SR-IOV.} IsDeleted : False Key : ComputerName : SRV Name : LAN Id : b7e59a89-d471-4333-a486-6848793c7ed8 Notes : SwitchType : Private AllowManagementOS : False NetAdapterInterfaceDescription : AvailableVMQueues : 0 NumberVmqAllocated : 0 IovEnabled : False IovVirtualFunctionCount : 0 IovVirtualFunctionsInUse : 0 IovQueuePairCount : 0 IovQueuePairsInUse : 0 AvailableIPSecSA : 0 NumberIPSecSAAllocated : 0 BandwidthPercentage : 0 BandwidthReservationMode : Absolute DefaultFlowMinimumBandwidthAbsolute : 0 DefaultFlowMinimumBandwidthWeight : 0 Extensions : {Microsoft NDIS Capture, Microsoft Windows Filtering Platform} IovSupport : False IovSupportReasons : IsDeleted : False Key : |
Display VM virtual network adapter configuration
1 |
Get-VMNetworkAdapterVlan –VMName <VMNAME> | select * |
AccessVlanID is the vLAN ID configured on the virtual machine network adapter.
Configure virtual switch port as Untagged
1 |
Set-VMNetworkAdapterVlan <VMNAME> -Access -Untagged |
Configure virtual switch port as Tagged with a vLAN ID
1 |
Set-VMNetworkAdapterVlan <VMNAME> -Access -VlanId 2 |
Configure Trunk Mode
1 |
Set-VMNetworkAdapterVlan –VMName <VMNAME> –Trunk –AllowedVlanIdList <01-XX> –NativeVlanId XX |
Conclusion
The networking part of the lab has a lot of settings. These are the most important:
- Two physical network adapters
- one dedicated to virtual machines
- one dedicated to management
- Two virtual switches (Access Mode – Tagged/Untagged)
- external switch bound to the physical network adapter dedicated to the virtual machines (Untagged)
- private switch not bound to any physical network adapter (Tagged vLAN ID 2)
- Ports are tagged but frames are not
- Trunk Mode only necessary if you need to receive traffic from more than one vLAN.
- To be configured via PowerShell
That’s all for the network configuration with Hyper-V. I hope this clears up some of the confusion with the terminology that Microsoft uses. In the next installment of this series, we will start to work with Citrix products (finally!) by reviewing NetScaler architecture and installing two virtual appliances.
More from the Lab!
- Building a Dual-Xeon Citrix Lab: Part 1 – Considerations
- Building a Dual-Xeon Citrix Lab: Part 2 – Hardware
- Building a Dual-Xeon Citrix Lab: Part 3 – Windows and Hyper-V installation
- Lab: Part 4 – Hyper-V Networking
- Lab: Part 5 – NetScaler 11 Architecture and Installation
- Lab: Part 6 – Configure NetScaler 11 High Availability (HA Pair)
- Lab: Part 7 – Upgrade NetScalers in HA
- Lab: Part 8 – Save, Backup and Restore NetScaler 11 configuration
- Lab: Part 9 – Install Microsoft SQL Server 2014 (Dedicated)
- Lab: Part 10 – Citrix Licensing demystified
- Lab: Part 11 – Install XenDesktop 7.6
- Lab: Part 12 – Setup NetScaler 11 Clustering (TriScale)
- Lab: Part 13 – Configure Published Applications with XenDesktop 7.6
- Lab: Part 14 – Citrix StoreFront 3.x
- Lab: Part 15 – Configure SSL in StoreFront
- Lab: Part 16 – StoreFront load balancing with NetScaler (Internal)
- Lab: Part 17 – Optimize and secure StoreFront load balancing with NetScaler (Internal)
- Lab: Part 18 – Secure LDAP (LDAPS) load balancing with Citrix NetScaler 11
- Lab: Part 19 – Configure Active Directory authentication(LDAP) with Citrix NetScaler 11
- Lab: Part 20 – RDP Proxy with NetScaler Unified Gateway 11
- Lab: Part 21 – Secure SSH Authentication with NetScaler (public-private key pair)
- Lab: Part 22 – Ultimate StoreFront 3 customization guide
- Lab: Part 23 – Securing Citrix StoreFront DMZ deployment
- Lab: Part 25 – Upgrade to Citrix StoreFront 3.7
- Lab: Part 26 – Install/Upgrade Citrix XenDesktop 7.11
- Lab: Part 27 – Getting started with Microsoft Azure
- Lab: Part 28 – Getting started with Citrix Cloud
- Lab: Part 29 – Configure XenDesktop And XenApp Service with Microsoft Azure and Citrix Cloud
- Lab: Part 30 – Configure Identity and Access Management in Citrix Cloud with Microsoft Azure AD
- Lab: Part 31 – Configure NetScaler Gateway Service for XenApp and XenDesktop Service in Citrix Cloud
- Lab: Part 32 – Configure MCS with XenDesktop and XenApp Service in Citrix Cloud
- Lab: Part 33 – Configure Azure Quick Deploy with XenDesktop and XenApp Service in Citrix Cloud
- Lab: Part 34 – Configure Site Aggregation for Citrix Workspace in Citrix Cloud with XenDesktop 7.x located on-premises
- Lab: Part 35 – Configure a Hybrid NetScaler MA Service environment in Citrix Cloud
- Lab: Part 36 – Configure ShareFile in Citrix Cloud with StorageZones on-premises
- Lab: Part 37 – Upgrade NetScaler HA pair with NetScaler MA Service in Citrix Cloud
- Lab: Part 38 – How to Configure Full VPN Setup with Citrix NetScaler in CLI
- Lab: Part 39 – Configure Multi-Factor Authentication with Azure MFA Service and Citrix Workspace
- Lab: Part 40 – Getting Started with Citrix App Layering
- Lab: Part 41 – Configure Citrix App Layering
- Lab: Part 42 – OS Layer with Citrix App Layering
- Lab: Part 43 – Platform Layer with Citrix App Layering
- Lab: Part 44 – Application Layers with Citrix App Layering
- Lab: Part 45 – Layered Image Deployment with Citrix App Layering
- Lab: Part 46 – Elastic deployment with Citrix App Layering
- Lab: Part 47 – User Layers with Citrix App Layering
- Lab: Part 48 – Windows 10 and PVS with Citrix App Layering
Great Share , If i have to replicate this Network setting to VMware Hypervisor , can you suggest steps for that. Thank you !
Hello
I-m actually designing a lab for a NS 12 training
I have one HYperv on windows 10 1703 and only one Network card
I created 2 vswitch oin private network
1 named DMZ and another LAN
All is ok
My NSIP is 192.168.10.101
I added a SNIP of 10.0.0.1
I have a AD DC 10.0.0.10
I did a ping on my netscaler to the dc and all is ok
Is it ok for my lab ?
My question is about the VIP must I add a third network card ?
and what must i configure ?
tks