Does Hyper-V support Private VLANs via trunk ports?

There is no way to tunnel private network traffic from one host to another.

One way would be to use good old crossover cables between hosts and set up external networks.

A similar but more geeky solution is to use VLANs and VLAN tagging of the private traffic (your physical network has to support this as well).

And, then there is always subnetting (a special subnet specific to the VM to VM traffic)

All of these require External networks so the traffic can leave the confines of a single host - but they are not new tricks.  Security through obscurity applies to subnetting and tagging.  Phsyical isolation (and a very old school) name needs to go to the crossover cable

I am not sure you understand my question. Higher end Cisco switches support what is called Private VLANs. A private VLAN is isolated from other VLANs and hosts. Community Private VLANs allow all hosts within a VLAN to talk with each other, but not hosts in other VLANs. Isolated Private VLANs prevent all hosts from communicating, even those in the same VLAN. Just as with regular VLANs, PVLANs can be trunked (what you call VLAN tagging) to other devices... i.e. Hyper-V server. I should be able to set the appropriate community VLAN ID in the Hyper-V virtual switch to allow the VM to communicate on the VLAN with others in the community configured on the Cisco switch.

I know this works in VMware, but not sure about Hyper-V.

There's no reason why it shouldn't work in Hyper-V.

Thank you for your response. However, I am unable to make this work and have not found any documentation on configuring Hyper-V to work on a Cisco PVLAN. Unfortunately, many don't seem to understand the concept of a private VLAN and confuse it with Hyper-V's built-in Private virtual machine network. At this point, I don't think it is supported.

I also want to add that I converted the trunk port to a host port. Hyper-V still could not ping it's gateway (the primary pvlan SVI) when set to the community PVLAN (vlan 221). However, when setting the VLAN to the primary pvlan number (vlan 220) in Hyper-V, the VM could ping the SVI. It appears that Hyper-V is not PVLAN aware and does not understand how the switch is tagging the packets.

I understand PVLANs. The issue is not on the switch. However, I tried your suggestion and put the port into promiscuous mode. Still unsuccessful.

Hyper-V does not see the PVLAN. The switch SVI does not show up in the VM's ARP table. However, the VM does show up in the switches ARP table. If I change Hyper-v to the primary pvlan, the SVI does show up in the ARP table.

I'm starting to think that Hyper-v just does not support PVLANs and requires a PVLAN trunk port on the switch. Unfortunately, this is a 3750x and you have to move up to the 4500 or 6500 for PVLAN trunk support.

Hmmm I see what you're saying.  I'm going to set it up now and test using a 3560 and a 6509.  I'll keep you posted! :-)

Great, Thanks!

craigbeck,

Did you get a chance to test this?

Hi apitech,

I'm sorry I haven't gotten back to you - I've only just returned from a week in the Sun!

I did manage to test this today and I couldn't get it to work at all using a 6500 either.

api are you specifying a VLAN tag for the external adapter or the VM itself?