Install Hyper-V, and let’s learn it’s Networking<\/p>\n
On VMware, when you install the OS (ESXi) on the hardware in the DCUI you simply set the VLAN tag right on the network interface you configure, and bind it to a physical NIC in the menu area, simple.<\/p>\n
We leave the network connected to a non tagged, internet allowed connection. Now we can configure our networks.<\/p>\n
# Add another vNIC for the host bound to the same external switch\r\nAdd-VMNetworkAdapter -ManagementOS -Name \"HostVLAN20\" -SwitchName \"ExternalSwitch\"\r\nSet-VMNetworkAdapterVlan -ManagementOS -VMNetworkAdapterName \"HostVLAN20\" -Access -VlanID 6<\/code><\/pre>\n<\/span>3. Verify in Windows<\/span><\/h2>\n\n- You\u2019ll now see multiple vEthernet adapters<\/strong> in the host OS (e.g., \u201cvEthernet (HostVLAN20)\u201d, \u201cvEthernet (HostVLAN30)\u201d).<\/li>\n
- Assign IP addresses or enable DHCP as needed.<\/li>\n<\/ul>\n
*Note* this is for doing it on a single network server (for my lab use) usually you’d have dedicated NICs for other networks designated on those servers… anyway.. where was I… right now that we got additional network on the server we can work on a shared storage, you know how I like my iSCSI.<\/p>\n
\n\n\n\nSo, when I setup Hyper-V, and connect a VM to the “default” virtual switch, the Hyper-V server acts as a DHCP provider and NATs the connections from that vSwitch to whatever other network the host is connected to?<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n\n<\/div>\n\n\nGreat question \u2014 this trips up a lot of people when they first use Hyper\u2011V! Let\u2019s break it down clearly:<\/p>\n
<\/span>\ud83d\udda7 Hyper\u2011V Default Switch Behavior<\/span><\/h2>\n\n- Introduced in Windows 10 (1709)<\/strong>: The “Default Switch” is automatically created by Hyper\u2011V and cannot be deleted or modified.<\/li>\n
- NAT (Network Address Translation)<\/strong>: Yes \u2014 the host machine provides NAT services. This means your VM\u2019s traffic is translated and routed through the host\u2019s network connection, regardless of whether that\u2019s Wi\u2011Fi, Ethernet, or even VPN.<\/li>\n
- DHCP Services<\/strong>: The host also runs a lightweight DHCP service for the Default Switch. This is what hands out IP addresses to your VMs automatically (usually in the
172.16.x.x<\/code> range).<\/li>\n- Connectivity<\/strong>: VMs connected to the Default Switch can reach the internet and other devices on the host\u2019s network, but inbound connections from the LAN to the VM are limited. It\u2019s designed for convenience, not for complex networking setups.<\/li>\n<\/ul>\n
<\/span>\u2696\ufe0f Comparison with Other Switch Types<\/span><\/h3>\n\n\n\n\n\nSwitch Type<\/th>\n Provides DHCP?<\/th>\n Provides NAT?<\/th>\n Use Case<\/th>\n<\/tr>\n<\/thead>\n \n\nDefault Switch<\/strong><\/td>\n\u2705 Yes (host DHCP)<\/td>\n \u2705 Yes (host NAT)<\/td>\n Quick setup, internet access without config<\/td>\n<\/tr>\n \nExternal Switch<\/strong><\/td>\n\u274c No (relies on external network DHCP)<\/td>\n \u274c No<\/td>\n VM directly on physical network, full LAN visibility<\/td>\n<\/tr>\n \nInternal Switch<\/strong><\/td>\n\u274c No<\/td>\n \u274c No<\/td>\n Communication between host and VMs only<\/td>\n<\/tr>\n \nPrivate Switch<\/strong><\/td>\n\u274c No<\/td>\n \u274c No<\/td>\n Communication between VMs only<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n<\/div>\n<\/div>\n\u2705 So to answer directly:<\/p>\n
Yes \u2014 when you connect a VM to the Default Switch<\/strong>, Hyper\u2011V\u2019s host acts as a DHCP provider<\/strong> and NATs the VM\u2019s traffic<\/strong> to whatever network the host is connected to. It\u2019s essentially a convenience bridge so you don\u2019t have to manually configure networking.<\/p>\n<\/div>\n<\/div>\n<\/div>\n\n\n\n\n“That’s what I did configured a external virtual switch so the hosts NIC would be VLAN tagged in a certain network, I was figuring the default switch would act more like a … well switch at layer2 of the hosts Nic, so VMs on it would get DHCP from the main network, as if it was connected to a switch in the base network, not layer3 and then 4 NAT like c’mon…”<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n\n<\/div>\n\n\nExactly \u2014 you\u2019ve nailed the distinction. The Default Switch<\/strong> in Hyper\u2011V is deliberately not<\/em> a true Layer\u20112 bridge to your host NIC. It\u2019s a convenience construct that Microsoft built to \u201cjust work\u201d for internet access without requiring you to mess with VLANs, external switches, or DHCP servers on your LAN.<\/p>\nHere\u2019s the breakdown:<\/p>\n
<\/span>\ud83d\udd0c Why the Default Switch behaves like NAT<\/span><\/h2>\n\n- It\u2019s implemented using Windows Internet Connection Sharing (ICS)<\/strong> under the hood.<\/li>\n
- ICS is a Layer\u20113 service: it provides a private subnet (usually
172.16.0.0\/12<\/code>), runs a DHCP service, and NATs traffic out through whatever adapter the host is using.<\/li>\n- That\u2019s why VMs on the Default Switch don\u2019t see your LAN\u2019s DHCP server \u2014 they only see the host\u2019s mini DHCP\/NAT service.<\/li>\n
- It\u2019s intentionally isolated so you don\u2019t accidentally expose VMs directly to your corporate or home LAN without realizing it.<\/li>\n<\/ul>\n
\u2696\ufe0f Why it\u2019s not Layer\u20112 bridging<\/p>\n
\n- A true Layer\u20112 bridge would forward broadcasts (like DHCP Discover) from the VM to your LAN. That\u2019s what an External Virtual Switch<\/strong> does.<\/li>\n
- The Default Switch instead terminates those broadcasts at the host and answers them itself. That\u2019s why you only ever get the host\u2011provided DHCP.<\/li>\n
- VLAN tagging, trunking, or other advanced networking features aren\u2019t supported on the Default Switch \u2014 it\u2019s locked down.<\/li>\n<\/ul>\n
\u2705 When to use each<\/p>\n
\n- Default Switch (NAT + DHCP)<\/strong>: Quick internet access, testing, dev boxes, laptops where you don\u2019t want to reconfigure NICs.<\/li>\n
- External Switch (Layer\u20112 bridge)<\/strong>: When you want VMs to behave like physical machines on your LAN, get DHCP from the real network, or use VLAN tagging.<\/li>\n
- Internal\/Private Switches<\/strong>: For host\u2011VM communication or VM\u2011VM only networks.<\/li>\n<\/ul>\n<\/div>\n
So your expectation \u2014 that the Default Switch would act like a transparent Layer\u20112 bridge \u2014 makes sense, but Microsoft intentionally designed it as a Layer\u20113 NAT gateway instead. If you want \u201creal switch\u201d behavior, the External Switch<\/strong> is the only way to go.<\/p>\n<\/div>\n<\/div>\n<\/div>\n\n\n\n\n“So, whatever my host machine is allowed to do, the guest VMs in the default switch are also allowed to do? like access the internet, and the firewall that gave the host the ability to access the internet would never see the private NATed IP address the Hyper-V host is dishing out to those VMs?”<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n\n<\/div>\n\n\nYou\u2019ve got it \u2014 that\u2019s exactly how the Default Switch<\/strong> works in Hyper\u2011V. Let me spell it out clearly:<\/p>\n<\/span>\ud83c\udf10 How traffic flows with the Default Switch<\/span><\/h2>\n\n- VMs get private IPs<\/strong>: Each VM connected to the Default Switch is assigned an IP from the host\u2019s internal DHCP service (usually
172.16.x.x<\/code>).<\/li>\n- Host does NAT<\/strong>: The Hyper\u2011V host translates those private IPs into its own IP before sending traffic out to the physical network.<\/li>\n
- Firewall visibility<\/strong>: From the perspective of your upstream firewall or router, all traffic from those VMs looks like it\u2019s coming from the host\u2019s IP. The firewall never sees the VM\u2019s private NATed addresses.<\/li>\n
- Permissions<\/strong>: Whatever the host is allowed to do (e.g., access the internet, reach certain networks), the VMs can also do \u2014 because their traffic is piggybacking on the host\u2019s connection.<\/li>\n<\/ul>\n
\u2696\ufe0f Important implications<\/p>\n
\n- Outbound access<\/strong>: VMs can reach the internet or LAN resources as long as the host can. They inherit the host\u2019s connectivity.<\/li>\n
- Inbound access<\/strong>: External devices cannot directly initiate connections to those VMs, because NAT blocks unsolicited inbound traffic unless you set up port forwarding (which the Default Switch doesn\u2019t expose for configuration).<\/li>\n
- Firewall rules<\/strong>: The upstream firewall only enforces rules against the host\u2019s IP. If you need per\u2011VM visibility or control, you\u2019ll need an External Switch<\/strong> so each VM gets its own LAN IP.<\/li>\n<\/ul>\n<\/div>\n
\u2705 So yes: the Default Switch makes your VMs \u201cride along\u201d with the host\u2019s network permissions. They\u2019re hidden behind NAT, which is why your firewall only ever sees the host\u2019s traffic.<\/p>\n
<\/span>Additional Information<\/span><\/h1>\nIf you want to apply a VLAN tag to a physical NIC that’s not a Hyper-V host on Windows:<\/p>\n
Since I didn’t see anything in the usual Network\u00a0 IPv4 configuration window in Windows. I decided to see how useful this AI stuff is.. so I asked it…<\/p>\n
\n\n\n\n\n\n\n\n\n“how do I VLAN tag the IP on windows 11 interface?”<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n\n\n\nQuick Answer:<\/strong> On Windows 11, VLAN tagging isn\u2019t enabled by default. You need a NIC that supports IEEE 802.1Q VLAN tagging, then configure the VLAN ID either through the NIC\u2019s Device Manager properties<\/strong> (Advanced tab \u2192 VLAN ID) or by using Intel PROSet\/ANS tools<\/strong> or PowerShell (<\/strong>Set-NetAdapter -VlanID<\/code>)<\/strong> if your driver supports it.<\/p>\n<\/div>\n<\/span>\ud83d\udda5\ufe0f Steps to Configure VLAN Tagging on Windows 11<\/span><\/h2>\n1. Check NIC Compatibility<\/p>\n
\n- VLAN tagging requires a network card (NIC) that supports IEEE 802.1Q<\/strong>.<\/li>\n
- Not all NICs expose VLAN options in Windows. Intel and Broadcom NICs often support it, but you may need vendor-specific drivers.<\/li>\n<\/ul>\n
2. Configure via Device Manager<\/p>\n
\n- Press Win + R<\/strong>, type
devmgmt.msc<\/code>, and hit Enter.<\/li>\n- Expand Network adapters<\/strong>, right-click your NIC \u2192 Properties<\/strong>.<\/li>\n
- Go to the Advanced<\/strong> tab.<\/li>\n
- Look for VLAN ID<\/strong> or Priority & VLAN<\/strong>.<\/li>\n
- Enter the VLAN ID (e.g.,
100<\/code>) and click OK.<\/li>\n<\/ul>\n3. Configure via Intel PROSet\/ANS (if supported)<\/p>\n
\n- Install Intel PROSet\/Advanced Network Services (ANS)<\/strong>.<\/li>\n
- In the NIC properties, Intel\u2019s tab allows creating multiple VLAN interfaces<\/strong> with different IDs.<\/li>\n
- Each VLAN interface can then be assigned its own IP address.<\/li>\n<\/ul>\n
4. Configure via PowerShell<\/p>\n
\n- Open PowerShell as Administrator.<\/li>\n
- Run:\n\n\n\n
Set-NetAdapter -Name \"Ethernet\" -VlanID 100\r\n<\/code><\/pre>\n<\/div>\n<\/div>\n<\/div>\n<\/li>\n- Replace
\"Ethernet\"<\/code> with your adapter name and 100<\/code> with your VLAN ID.<\/li>\n- Note: This only works if your NIC driver supports VLAN tagging. Otherwise, you\u2019ll get an error like \u201cRequested operation not supported on adapter\u201d<\/em>.<\/li>\n<\/ul>\n
5. Assign IP Address<\/p>\n
\n- Once VLAN tagging is enabled, go to Network & Internet settings<\/strong> \u2192 Change adapter options<\/strong>.<\/li>\n
- Right-click the VLAN-enabled adapter \u2192 Properties<\/strong> \u2192 Internet Protocol Version 4 (TCP\/IPv4)<\/strong>.<\/li>\n
- Assign the IP address, subnet mask, and gateway for that VLAN.<\/li>\n<\/ul>\n
\u26a0\ufe0f Important Notes<\/p>\n
\n- Driver Support is Key:<\/strong> If your NIC driver doesn\u2019t expose VLAN options, you cannot tag VLANs directly in Windows without Hyper-V or third-party tools.<\/li>\n
- Hyper-V Alternative:<\/strong> You can create VLAN-tagged virtual NICs using Hyper-V\u2019s Virtual Switch Manager if your hardware doesn\u2019t support native tagging.<\/li>\n
- Testing:<\/strong> Use
ping<\/code> or tracert<\/code> to verify connectivity once VLAN tagging is applied.<\/li>\n<\/ul>\n<\/div>\n\u2705 Bottom Line:<\/strong> To VLAN tag an IP on Windows 11, you must enable VLAN tagging on the NIC (via Device Manager, Intel PROSet\/ANS, or PowerShell if supported), then assign the IP to that VLAN interface. If your NIC doesn\u2019t support VLAN tagging, you\u2019ll need Hyper-V or vendor-specific utilities.<\/p>\n<\/div>\n<\/div>\n<\/div>\n\n\n\n\nMy response “I’ve got an intle 82579LM Gig NIC, I see it says VLAN enabled in the advanced tab, but I don’t see an area to configure it, I’m sure the NIC supports it since I was using ESXi with vlan tagging just fine.”<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n\n<\/div>\n\n\nThat\u2019s a great observation \u2014 the Intel 82579LM definitely supports VLAN tagging at the hardware level, but here\u2019s the catch: Windows drivers for that NIC don\u2019t expose VLAN configuration in the same way ESXi or Linux does.<\/strong><\/p>\n<\/span>\ud83d\udd0e Why You Don\u2019t See VLAN Config in Windows<\/span><\/h2>\n\n- The Advanced tab<\/strong> in Device Manager shows \u201cPriority & VLAN\u201d or \u201cVLAN Enabled,\u201d but that option only toggles whether the NIC can process VLAN-tagged frames.<\/li>\n
- Unlike ESXi, Windows doesn\u2019t let you directly assign VLAN IDs to a physical NIC unless the driver provides a VLAN interface creation utility<\/strong> (like Intel PROSet\/ANS).<\/li>\n
- For the 82579LM, Intel stopped including VLAN configuration in their Windows drivers after Windows 8\/10. On Windows 11, the driver exposes VLAN capability but no UI to configure VLAN IDs<\/strong>.<\/li>\n<\/ul>\n
\u2705 Workarounds<\/p>\n
Here are the practical options:<\/p>\n
1. Intel PROSet\/ANS (if available)<\/strong><\/p>\n\n- Older Intel drivers came with Advanced Network Services (ANS)<\/strong>, which let you create VLAN sub-interfaces.<\/li>\n
- On Windows 11, Intel no longer bundles ANS with drivers for the 82579LM, so you won\u2019t see the VLAN tab.<\/li>\n<\/ul>\n
2. PowerShell Command<\/strong><\/p>\n