How to Configure VLAN Tagging on Windows Server 2012 R2

How to Configure VLAN Tagging on Windows Server 2012 R2

VLAN (Virtual LAN) tagging allows a Windows Server 2012 R2 server to participate in a segmented network by tagging outbound Ethernet frames with an IEEE 802.1Q VLAN ID and accepting inbound frames tagged with specific VLAN IDs. This is essential for host configurations where a single physical NIC or a NIC team connects to a trunk port on a managed switch, and the server needs to communicate on multiple VLANs simultaneously — commonly used for iSCSI storage, management, VM traffic, and production networks on the same physical cabling. This guide covers configuring 802.1Q VLAN tagging through NIC vendor tools, the built-in PowerShell networking stack, and for virtual switches in Hyper-V.

Prerequisites

VLAN tagging requires a managed network switch configured with a trunk (tagged) port connected to the server. The switch port must be configured to allow the specific VLAN IDs you plan to use. Your network interface card must support VLAN tagging — virtually all enterprise-grade NICs from Intel, Broadcom, Mellanox, and QLogic support 802.1Q. The NIC vendor’s driver package should be installed for the best management experience. You need local Administrator rights. Before making changes, verify the current network configuration and ensure you have an alternative management path (such as IPMI/iDRAC/iLO) in case you lose network connectivity during configuration.

Understanding VLAN Configuration Options in Windows Server 2012 R2

Windows Server 2012 R2 supports VLAN configuration through several mechanisms:

• NIC team VLAN interfaces — Create virtual interfaces on a NIC team with different VLAN IDs (recommended for servers)
• Hyper-V virtual switch VLAN isolation — Assign VMs to specific VLANs through the virtual switch
• Direct NIC VLAN tagging — Configure the physical NIC driver to tag/untag frames for a specific VLAN (single VLAN per NIC)

Creating a NIC Team for VLAN Trunking

NIC teaming is the recommended approach for server VLAN configurations. Create a team first, then add VLAN interfaces on top of it:

# List available network adapters
Get-NetAdapter | Select-Object Name, InterfaceDescription, Status, LinkSpeed | Format-Table

# Create a NIC team from two physical adapters
New-NetLbfoTeam -Name "ServerTeam" `
    -TeamMembers "Ethernet1","Ethernet2" `
    -TeamingMode LACP `
    -LoadBalancingAlgorithm TransportPorts `
    -Confirm:$false

# Verify team creation
Get-NetLbfoTeam | Select-Object Name, TeamingMode, LoadBalancingAlgorithm | Format-Table
Get-NetAdapter -Name "ServerTeam" | Select-Object Name, Status, LinkSpeed

Creating VLAN Interfaces on the NIC Team

Add virtual network interfaces (team interfaces) for each VLAN the server needs to communicate on:

# Create a VLAN interface for the Management VLAN (VLAN 10)
Add-NetLbfoTeamNic -Team "ServerTeam" -VlanID 10 -Name "Team-VLAN10-Mgmt"

# Create a VLAN interface for the Production VLAN (VLAN 20)
Add-NetLbfoTeamNic -Team "ServerTeam" -VlanID 20 -Name "Team-VLAN20-Prod"

# Create a VLAN interface for iSCSI storage (VLAN 100)
Add-NetLbfoTeamNic -Team "ServerTeam" -VlanID 100 -Name "Team-VLAN100-iSCSI"

# Create a "native" (untagged) interface on the team (no VLAN ID = untagged traffic)
# The default team NIC already handles the native VLAN:
Get-NetLbfoTeamNic -Team "ServerTeam" | Select-Object Name, VlanID | Format-Table

Verify the VLAN interfaces were created:

# List all team NICs and their VLAN IDs
Get-NetLbfoTeamNic -Team "ServerTeam" | Select-Object Name, VlanID, Status | Format-Table

# List all network adapters including VLAN interfaces
Get-NetAdapter | Select-Object Name, InterfaceDescription, Status | Format-Table

Assigning IP Addresses to VLAN Interfaces

After creating the VLAN interfaces, assign static IP addresses appropriate for each VLAN:

# Assign IP to Management VLAN interface
New-NetIPAddress -InterfaceAlias "Team-VLAN10-Mgmt" `
    -IPAddress "10.10.10.50" `
    -PrefixLength 24 `
    -DefaultGateway "10.10.10.1"

# Assign DNS for the management interface
Set-DnsClientServerAddress -InterfaceAlias "Team-VLAN10-Mgmt" `
    -ServerAddresses "10.10.10.10","10.10.10.11"

# Assign IP to Production VLAN interface
New-NetIPAddress -InterfaceAlias "Team-VLAN20-Prod" `
    -IPAddress "10.10.20.50" `
    -PrefixLength 24
# No default gateway on non-management VLANs to control routing

# Assign IP to iSCSI VLAN interface
New-NetIPAddress -InterfaceAlias "Team-VLAN100-iSCSI" `
    -IPAddress "10.10.100.50" `
    -PrefixLength 24
# No DNS or default gateway on storage VLAN

# Verify IP addresses
Get-NetIPAddress | Where-Object {$_.InterfaceAlias -like "Team-*"} |
    Select-Object InterfaceAlias, IPAddress, PrefixLength | Format-Table

Configuring VLAN Tagging on a Single Physical NIC (Non-Teamed)

For a single physical NIC participating in a single VLAN (access port mode), configure the VLAN ID directly through the NIC driver properties:

# Set VLAN ID on a physical NIC directly (driver must support this)
# This is typically done through the NIC driver's advanced properties

# Check current VLAN ID on a NIC
Get-NetAdapterAdvancedProperty -Name "Ethernet1" | 
    Where-Object {$_.RegistryKeyword -like "*VLAN*"} |
    Select-Object Name, RegistryKeyword, RegistryValue | Format-Table

# Set VLAN ID via adapter advanced property (Intel NICs)
Set-NetAdapterAdvancedProperty -Name "Ethernet1" `
    -RegistryKeyword "VlanID" `
    -RegistryValue 20

# Or for Broadcom NICs (keyword name may vary)
Set-NetAdapterAdvancedProperty -Name "Ethernet1" `
    -RegistryKeyword "*VlanID" `
    -RegistryValue 20

# Restart the adapter to apply VLAN change
Disable-NetAdapter -Name "Ethernet1" -Confirm:$false
Enable-NetAdapter -Name "Ethernet1"

Hyper-V VLAN Configuration for Virtual Machines

In Hyper-V environments, VLANs are commonly configured on virtual switch ports rather than on each VM’s virtual NIC driver:

# Create an external Hyper-V switch connected to the physical NIC team
New-VMSwitch -Name "ExternalSwitch" `
    -NetAdapterName "ServerTeam" `
    -AllowManagementOS $true

# Set VLAN on a specific VM's virtual NIC
# This assigns the VM to VLAN 20 (Production)
Set-VMNetworkAdapterVlan -VMName "WebServer01" `
    -VlanId 20 `
    -Access

# Verify VM VLAN configuration
Get-VMNetworkAdapterVlan -VMName "WebServer01"

# Configure trunk mode on a VM virtual NIC (for VMs that need to handle tagged traffic)
Set-VMNetworkAdapterVlan -VMName "RouterVM" `
    -Trunk `
    -NativeVlanId 1 `
    -AllowedVlanIdList "10,20,30,100"

# Verify trunk configuration
Get-VMNetworkAdapterVlan -VMName "RouterVM"

Configuring QoS Policies per VLAN Interface

Apply Quality of Service policies to prioritize traffic on specific VLAN interfaces:

# Create a QoS policy to prioritize iSCSI storage traffic
New-NetQosPolicy -Name "iSCSI-Traffic" `
    -NetworkProfile Domain `
    -Precedence 255 `
    -DSCPAction 46 `
    -InterfaceAlias "Team-VLAN100-iSCSI"

# Create a QoS policy for management traffic
New-NetQosPolicy -Name "Management-Traffic" `
    -NetworkProfile Domain `
    -Precedence 200 `
    -DSCPAction 16 `
    -InterfaceAlias "Team-VLAN10-Mgmt"

# Verify QoS policies
Get-NetQosPolicy | Select-Object Name, DSCPAction, InterfaceAlias | Format-Table

Verification

# Verify VLAN interfaces and their IP assignments
Get-NetAdapter | Select-Object Name, Status, LinkSpeed | Format-Table

# Verify IP configuration on all VLAN interfaces
Get-NetIPConfiguration | Where-Object {$_.InterfaceAlias -like "Team-*"} |
    Select-Object InterfaceAlias, IPv4Address, IPv4DefaultGateway | Format-Table

# Test connectivity on each VLAN
Test-NetConnection -ComputerName "10.10.10.1" -InformationLevel Quiet  # Management gateway
Test-NetConnection -ComputerName "10.10.20.1" -InformationLevel Quiet  # Production gateway
Test-NetConnection -ComputerName "10.10.100.1" -InformationLevel Quiet # iSCSI gateway

# Verify VLAN IDs in use
Get-NetLbfoTeamNic | Select-Object Name, VlanID, Status | Format-Table

# Monitor traffic on VLAN interfaces
Get-NetAdapterStatistics | Where-Object {$_.Name -like "Team-*"} |
    Select-Object Name, ReceivedBytes, SentBytes | Format-Table

Summary

VLAN tagging on Windows Server 2012 R2 is most effectively implemented through NIC teaming combined with team VLAN interface creation, allowing a single physical connection to participate in multiple VLANs simultaneously. Create a NIC team for redundancy, then add VLAN interfaces with the appropriate 802.1Q VLAN IDs, assigning IP addresses to each interface for the corresponding network segment. For Hyper-V hosts, configure VLAN assignments at the virtual switch port level for clean separation between VMs on different VLANs. Always ensure the upstream switch port is configured as a trunk port allowing all required VLAN IDs before configuring the server-side VLAN interfaces.