How to Set Up VLAN Support on Windows Server 2022

How to Set Up VLAN Support on Windows Server 2022

Virtual Local Area Networks (VLANs) segment a physical network into multiple isolated logical networks using 802.1Q VLAN tagging. On Windows Server 2022, VLAN support is available at multiple layers: directly on a physical network adapter (access port configuration), on NIC team members, on NIC team NICs (virtual adapters created on top of a team), and on Hyper-V virtual machine network adapters. Each approach serves a different purpose and context. This guide covers each VLAN configuration method, explains when to use each one, and provides the PowerShell commands to implement and verify the configuration.

Understanding 802.1Q VLAN Tagging

IEEE 802.1Q defines the standard for VLAN tagging on Ethernet networks. When a network adapter operates with a VLAN ID configured, it inserts a 4-byte VLAN tag into outgoing Ethernet frames and strips the tag from incoming frames before passing them to the operating system. This tagged traffic is called “trunk” traffic on the network switch side—the switch must have its port configured as a trunk port carrying the specified VLAN(s) for tagged traffic to pass correctly.

An access port on a switch carries traffic for a single VLAN untagged. When you connect a Windows Server physical adapter directly to an access port, you do NOT configure a VLAN ID on the Windows adapter—the switch handles the VLAN assignment. VLAN tagging on the adapter is only needed when connected to a trunk port.

In Hyper-V environments, the host’s physical adapters are typically connected to trunk ports, and VLAN assignment is then controlled at the virtual switch adapter level (per-VM or per-host vNIC), giving you precise control over which VLAN each VM or workload uses.

Setting VLAN ID Directly on a Physical Adapter

You can assign a VLAN ID directly to a physical network adapter using the Set-NetAdapterAdvancedProperty cmdlet. First, identify the available adapters:

Get-NetAdapter | Select-Object Name, InterfaceDescription, Status, LinkSpeed

View the available advanced properties for the adapter to identify the VLAN ID property name (it varies slightly by driver):

Get-NetAdapterAdvancedProperty -Name "Ethernet1" | 
    Select-Object DisplayName, RegistryKeyword, DisplayValue, RegistryValue

Set the VLAN ID on the adapter. The registry keyword is typically VlanID or VLAN ID:

# Set VLAN ID 100 on Ethernet1
Set-NetAdapterAdvancedProperty -Name "Ethernet1" `
                               -RegistryKeyword "VlanID" `
                               -RegistryValue 100

# Alternatively, use the display name if the above fails
Set-NetAdapterAdvancedProperty -Name "Ethernet1" `
                               -DisplayName "VLAN ID" `
                               -DisplayValue "100"

After setting the VLAN ID, the adapter needs to be restarted to apply the change:

Restart-NetAdapter -Name "Ethernet1"

Verify the VLAN ID is applied:

Get-NetAdapterAdvancedProperty -Name "Ethernet1" -DisplayName "VLAN ID"

To remove the VLAN ID (set to 0 = no VLAN tagging):

Set-NetAdapterAdvancedProperty -Name "Ethernet1" -RegistryKeyword "VlanID" -RegistryValue 0
Restart-NetAdapter -Name "Ethernet1"

Verifying VLAN Configuration

To verify the current VLAN configuration across all adapters, query the VLAN ID advanced property on each adapter:

# Check VLAN ID on all adapters
Get-NetAdapter | ForEach-Object {
    $vlan = Get-NetAdapterAdvancedProperty -Name $_.Name -RegistryKeyword "VlanID" -ErrorAction SilentlyContinue
    [PSCustomObject]@{
        AdapterName = $_.Name
        Status      = $_.Status
        VlanID      = if ($vlan) { $vlan.RegistryValue } else { "N/A" }
    }
} | Format-Table -AutoSize

VLANs on NIC Team Members

When adapters are members of an LBFO team, you should NOT set VLAN IDs on the individual team member adapters. VLAN configuration for a team is done at the team NIC level (the virtual adapter created on top of the team), not on the underlying physical members. Setting VLANs on team members individually can cause connectivity issues.

The physical team member adapters should be connected to a trunk port on the switch, carrying all the VLANs you intend to use on that team:

# Check that team member adapters do NOT have VLAN IDs set
Get-NetLbfoTeamMember | ForEach-Object {
    $vlan = Get-NetAdapterAdvancedProperty -Name $_.Name `
                -RegistryKeyword "VlanID" -ErrorAction SilentlyContinue
    [PSCustomObject]@{
        Member = $_.Name
        Team   = $_.Team
        VlanID = if ($vlan) { $vlan.RegistryValue } else { "N/A" }
    }
}

Multiple VLANs Using NIC Team NICs

The most flexible way to run multiple VLANs on a single server with LBFO teaming is to create multiple Team NICs. A Team NIC is a virtual adapter created on top of the NIC team, each with a different VLAN ID. This allows one physical team to serve traffic for multiple VLANs simultaneously—the server appears to the network as a trunk port client.

Create additional Team NICs with different VLAN IDs using Add-NetLbfoTeamNic:

# First, check the existing team and its primary (untagged) NIC
Get-NetLbfoTeamNic -Team "ServerTeam"

# Add a Team NIC for VLAN 100 (Management)
Add-NetLbfoTeamNic -Team "ServerTeam" -VlanID 100 -Name "ServerTeam-Vlan100"

# Add a Team NIC for VLAN 200 (Production)
Add-NetLbfoTeamNic -Team "ServerTeam" -VlanID 200 -Name "ServerTeam-Vlan200"

# Add a Team NIC for VLAN 300 (Storage)
Add-NetLbfoTeamNic -Team "ServerTeam" -VlanID 300 -Name "ServerTeam-Vlan300"

# View all team NICs
Get-NetLbfoTeamNic -Team "ServerTeam" | Select-Object Name, Team, VlanID, Primary

Each Team NIC appears as a separate network adapter in the OS. Assign appropriate IP addresses to each:

# Assign IP to Management VLAN
New-NetIPAddress -InterfaceAlias "ServerTeam-Vlan100" `
                 -IPAddress 192.168.100.10 `
                 -PrefixLength 24 `
                 -DefaultGateway 192.168.100.1

# Assign IP to Production VLAN (no default gateway — only one gateway per server)
New-NetIPAddress -InterfaceAlias "ServerTeam-Vlan200" `
                 -IPAddress 10.200.0.10 `
                 -PrefixLength 24

# Assign IP to Storage VLAN
New-NetIPAddress -InterfaceAlias "ServerTeam-Vlan300" `
                 -IPAddress 10.100.10.10 `
                 -PrefixLength 24

# Set DNS servers on the management adapter
Set-DnsClientServerAddress -InterfaceAlias "ServerTeam-Vlan100" `
                           -ServerAddresses 192.168.100.1, 192.168.100.2

Hyper-V Virtual Switch VLAN Configuration

In a Hyper-V environment, VLAN assignment is typically handled at the virtual machine network adapter level rather than on the physical or team adapters. This is the recommended approach because it provides per-VM VLAN isolation without requiring separate physical adapters or team NICs per VLAN.

The physical host adapter (or SET team) connects to a trunk port on the switch, and the Hyper-V virtual switch passes tagged traffic to the correct VMs. Configure VLANs on VM network adapters using Set-VMNetworkAdapterVlan:

# Set a VM's network adapter to access VLAN 100 (Access mode — untagged inside VM)
Set-VMNetworkAdapterVlan -VMName "WebServer01" `
                          -VMNetworkAdapterName "Network Adapter" `
                          -Access `
                          -VlanId 100

# Set another VM to VLAN 200
Set-VMNetworkAdapterVlan -VMName "AppServer01" `
                          -VMNetworkAdapterName "Network Adapter" `
                          -Access `
                          -VlanId 200

# Verify VLAN configuration for all VMs
Get-VMNetworkAdapterVlan | 
    Select-Object VMName, VMNetworkAdapterName, OperationMode, AccessVlanId | 
    Format-Table -AutoSize

For a VM that needs to act as a VLAN-aware router or firewall (trunk mode inside the guest), use Trunk mode:

# Set a VM adapter to trunk mode carrying VLANs 100, 200, 300 (native VLAN 0)
Set-VMNetworkAdapterVlan -VMName "RouterVM" `
                          -VMNetworkAdapterName "Trunk Adapter" `
                          -Trunk `
                          -AllowedVlanIdList "100,200,300" `
                          -NativeVlanId 0

VLAN on the Hyper-V Host Management vNIC

When the Hyper-V host uses a virtual switch for its own management network (a vNIC connected to the virtual switch), you configure the VLAN on that vNIC using the ManagementOS parameter:

# Set VLAN 100 on the host management vNIC
Set-VMNetworkAdapterVlan -ManagementOS `
                          -VMNetworkAdapterName "Management" `
                          -Access `
                          -VlanId 100

# Verify the management vNIC VLAN
Get-VMNetworkAdapterVlan -ManagementOS | 
    Select-Object VMNetworkAdapterName, OperationMode, AccessVlanId

Trunk vs Access Port Configuration for Hyper-V Hosts

The physical switch port connected to a Hyper-V host’s NIC (or NIC team) must be configured as a trunk port to carry tagged traffic for all VLANs used by the VMs and host vNICs. This is in contrast to a standard server (no Hyper-V) where you might use an access port for a single VLAN.

Example switch configuration (Cisco syntax) for a Hyper-V host trunk port:

interface GigabitEthernet0/1
 description Hyper-V Host - SET Team Member 1
 switchport mode trunk
 switchport trunk allowed vlan 100,200,300
 switchport trunk native vlan 1
 spanning-tree portfast trunk

Example for a non-Hyper-V server on VLAN 100 access port:

interface GigabitEthernet0/5
 description Windows Server 2022 File Server
 switchport mode access
 switchport access vlan 100
 spanning-tree portfast

VLAN on SET Team (Hyper-V Embedded Teaming)

With Switch-Embedded Teaming, the physical adapters do not have VLAN IDs set—VLAN tagging is handled by the Hyper-V virtual switch and individual vNIC VLAN assignments. The physical adapters in the SET team should have their VLAN IDs cleared:

# Verify no VLAN IDs on SET team physical members
Get-VMSwitch -Name "SETSwitch" | 
    Select-Object -ExpandProperty NetAdapterInterfaceDescriptions | 
    ForEach-Object {
        $adapter = Get-NetAdapter | Where-Object {$_.InterfaceDescription -eq $_}
        if ($adapter) {
            Get-NetAdapterAdvancedProperty -Name $adapter.Name `
                -RegistryKeyword "VlanID" -ErrorAction SilentlyContinue
        }
    }

Configure VLAN on the host management vNIC connected to the SET switch:

Set-VMNetworkAdapterVlan -ManagementOS -VMNetworkAdapterName "Management" `
                          -Access -VlanId 100

Set-VMNetworkAdapterVlan -ManagementOS -VMNetworkAdapterName "SMB01" `
                          -Access -VlanId 300

Set-VMNetworkAdapterVlan -ManagementOS -VMNetworkAdapterName "SMB02" `
                          -Access -VlanId 300

Troubleshooting VLAN Connectivity

VLAN misconfiguration is a common source of network connectivity problems. Use this systematic troubleshooting approach:

First, verify the VLAN ID configuration on the adapter or vNIC:

# Check physical adapter VLAN
Get-NetAdapterAdvancedProperty -Name "Ethernet1" -RegistryKeyword "VlanID"

# Check VM vNIC VLAN
Get-VMNetworkAdapterVlan -VMName "WebServer01"

# Check host vNIC VLAN
Get-VMNetworkAdapterVlan -ManagementOS

Verify the network adapter is up and has an IP address on the correct subnet:

Get-NetIPConfiguration | Where-Object {$_.InterfaceAlias -like "*Vlan100*"}

Test connectivity to the default gateway on the VLAN:

Test-NetConnection -ComputerName 192.168.100.1 -InformationLevel Detailed

Check for VLAN ID mismatches by reviewing the adapter’s received packet counters. If an adapter is receiving zero packets but the switch shows traffic, the VLAN ID may be wrong:

Get-NetAdapterStatistics -Name "ServerTeam-Vlan100" | 
    Select-Object Name, ReceivedUnicastPackets, ReceivedDiscardedPackets, ReceivedPacketErrors

Verify that the switch port is configured as a trunk and is allowing the correct VLANs. On a Windows Server acting as a VLAN client, confirm the switch port VLAN configuration matches what Windows expects. A mismatch between the VLAN ID set on the Windows adapter and what the switch allows on that port will result in all traffic being dropped.

If using a VM on Hyper-V, check the Hyper-V virtual switch port security settings, which can block spoofed VLAN IDs or MAC addresses:

Get-VMNetworkAdapter -VMName "WebServer01" | 
    Select-Object VMName, MacAddress, DynamicMacAddressEnabled |
    Format-List

# Check if port security features are blocking traffic
Get-VMNetworkAdapter -VMName "WebServer01" | 
    Select-Object VMName, MacAddressSpoofing, DhcpGuard, RouterGuard

Summary

VLAN support on Windows Server 2022 is available through multiple mechanisms suited to different scenarios. Direct physical adapter VLAN configuration is appropriate for standalone servers needing a single VLAN on a trunk-connected port. NIC Team NICs with VLAN IDs enable multiple VLANs on a single team, which is ideal for application servers that need presence on multiple network segments. For Hyper-V hosts, the preferred approach is a SET or LBFO team connected to a trunk port, with VLAN assignment handled per-VM via Set-VMNetworkAdapterVlan. Understanding the relationship between the Windows VLAN configuration and the upstream switch port mode (access vs trunk) is the key to avoiding connectivity issues and building a reliable multi-tenant network infrastructure on Windows Server 2022.