How to Configure VLAN Tagging on Windows Server 2016

April 12, 2026
Tutorials
Comment off

How to Configure Windows Server 2016 VLAN Tagging

Virtual Local Area Networks (VLANs) segment a single physical network into multiple logical networks, providing traffic isolation, improved security, and better bandwidth management. Windows Server 2016 supports VLAN tagging both on physical network adapters and on Hyper-V virtual switches, allowing servers and virtual machines to participate in VLAN-segmented networks. This guide covers configuring VLAN tagging on physical NICs for server-level segmentation and on Hyper-V virtual switches for VM-level VLAN assignment.

Understanding 802.1Q VLAN Tagging

802.1Q is the IEEE standard for VLAN tagging. When a frame is transmitted on a tagged (trunk) port, a 4-byte VLAN tag is inserted into the Ethernet frame header containing the VLAN ID (0-4095). Devices must understand 802.1Q tagging to correctly handle tagged frames. Access ports strip the VLAN tag and deliver untagged frames to end devices, while trunk ports carry tagged frames between switches and servers that are configured for multiple VLANs.

Prerequisites

Your network switch must have the port connected to the Windows Server configured as a trunk port that allows the VLAN IDs you want to use. The physical NIC driver must support 802.1Q VLAN tagging — most modern enterprise NICs (Intel, Broadcom, Mellanox) support this. Verify adapter capabilities:

Get-NetAdapter | Select Name, InterfaceDescription, DriverVersion, Status
Get-NetAdapterAdvancedProperty | Where-Object { $_.RegistryKeyword -like "*VLAN*" } | Select Name, DisplayName, DisplayValue

Step 1: Configure VLAN Tagging on a Physical NIC

To assign a single VLAN to a physical NIC, use the Set-NetAdapter cmdlet or configure the adapter’s advanced properties. This puts the NIC in access mode for the specified VLAN:

# Set VLAN ID on a physical adapter (access mode)
Set-NetAdapter -Name "Ethernet" -VlanID 100

# Verify the VLAN ID was applied
Get-NetAdapter -Name "Ethernet" | Select Name, VlanID

# Alternative via advanced adapter properties
Set-NetAdapterAdvancedProperty -Name "Ethernet" -RegistryKeyword "VlanID" -RegistryValue 100

Step 2: Create Multiple VLAN Interfaces Using NIC Teaming or Virtual Adapters

To allow a server to participate in multiple VLANs simultaneously (trunk mode), you need to create virtual adapters for each VLAN. Windows Server 2016 supports this through NIC Teaming VLAN interfaces:

# First, create a NIC team (even with a single NIC for VLAN support)
New-NetLbfoTeam -Name "NICTeam1" -TeamMembers "Ethernet","Ethernet 2" -TeamingMode SwitchIndependent -LoadBalancingAlgorithm Dynamic

# Create VLAN interfaces on the team
Add-NetLbfoTeamNic -Team "NICTeam1" -VlanID 100 -Name "Team1-VLAN100"
Add-NetLbfoTeamNic -Team "NICTeam1" -VlanID 200 -Name "Team1-VLAN200"
Add-NetLbfoTeamNic -Team "NICTeam1" -VlanID 300 -Name "Team1-VLAN300"

# View team NICs and VLAN assignments
Get-NetLbfoTeamNic -Team "NICTeam1" | Select Name, VlanID, Primary

Assign IP addresses to each VLAN interface:

New-NetIPAddress -InterfaceAlias "Team1-VLAN100" -IPAddress "10.100.1.10" -PrefixLength 24 -DefaultGateway "10.100.1.1"
New-NetIPAddress -InterfaceAlias "Team1-VLAN200" -IPAddress "10.200.1.10" -PrefixLength 24
New-NetIPAddress -InterfaceAlias "Team1-VLAN300" -IPAddress "10.300.1.10" -PrefixLength 24

Step 3: Configure Hyper-V Virtual Switch for VLAN Support

On a Hyper-V host, the virtual switch is the central point for VLAN configuration. Create an external virtual switch bound to the physical NIC that connects to the trunk port on your physical switch:

# Create an external Hyper-V switch (allows VMs to access physical VLANs)
New-VMSwitch -Name "ExternalSwitch" -NetAdapterName "Ethernet" -AllowManagementOS $true

# Verify the switch was created
Get-VMSwitch | Select Name, SwitchType, NetAdapterInterfaceDescription, AllowManagementOS

Step 4: Assign VLANs to Hyper-V VMs

Assign specific VLAN IDs to VM network adapters so each VM communicates only within its assigned VLAN:

# Set VLAN on a VM's network adapter (access mode - VM sees untagged frames)
Set-VMNetworkAdapterVlan -VMName "WebServer01" -VMNetworkAdapterName "Network Adapter" -Access -VlanId 100

# Verify VLAN assignment
Get-VMNetworkAdapterVlan -VMName "WebServer01"

# Set VLAN on multiple VMs
$vms = @{
    "WebServer01" = 100
    "DBServer01"  = 200
    "AppServer01" = 100
}
foreach ($vm in $vms.GetEnumerator()) {
    Set-VMNetworkAdapterVlan -VMName $vm.Key -Access -VlanId $vm.Value
    Write-Host "Set VLAN $($vm.Value) on $($vm.Key)"
}

Step 5: Configure Trunk Mode for VMs Requiring Multiple VLANs

Some VMs (such as virtual firewalls or network appliances) need to receive traffic from multiple VLANs simultaneously. Configure the VM network adapter in trunk mode:

# Configure VM adapter for trunk mode (receives tagged frames for listed VLANs)
Set-VMNetworkAdapterVlan -VMName "vFirewall01" -Trunk -AllowedVlanIdList "100,200,300,400" -NativeVlanId 1

# Verify trunk configuration
Get-VMNetworkAdapterVlan -VMName "vFirewall01" | Select OperationMode, AllowedVlanIdList, NativeVlanId

Step 6: Configure Management OS VLAN

Isolate Hyper-V host management traffic on a specific VLAN by configuring the management OS virtual adapter:

# Set VLAN for the management OS virtual adapter on a specific switch
Set-VMNetworkAdapterVlan -ManagementOS -VMNetworkAdapterName "ExternalSwitch" -Access -VlanId 999

# Verify management OS VLAN
Get-VMNetworkAdapterVlan -ManagementOS | Select Name, OperationMode, AccessVlanId

Step 7: Verify VLAN Configuration End-to-End

After configuration, verify VLAN traffic is properly isolated and routed:

# Verify VLAN interfaces on the physical host
Get-NetAdapter | Where-Object { $_.Name -like "*VLAN*" } | Select Name, InterfaceAlias, Status, LinkSpeed

# Test connectivity within a VLAN
Test-NetConnection -ComputerName "10.100.1.20" -InformationLevel Detailed

# Check that VLAN traffic is isolated (should not reach hosts on different VLANs without routing)
Test-NetConnection -ComputerName "10.200.1.20" -InformationLevel Detailed

# View all VLAN assignments across all VMs on a Hyper-V host
Get-VM | Get-VMNetworkAdapterVlan | Where-Object { $_.OperationMode -ne "Untagged" } | Select VMName, OperationMode, AccessVlanId, AllowedVlanIdList

VLAN tagging on Windows Server 2016 provides the flexibility to isolate workloads, reduce broadcast domains, and enforce network security boundaries without additional hardware. Whether configuring VLANs for physical server adapters or for Hyper-V virtual machines, Windows Server 2016 offers comprehensive 802.1Q support through both PowerShell and graphical management tools.