How to Configure Hyper-V Switch Extensions on Windows Server 2012 R2

Hyper-V Virtual Switch Extensions are plug-ins that extend the capabilities of the Hyper-V virtual switch. Extensions can inspect, modify, capture, and forward network packets as they traverse the virtual switch. They enable scenarios like network monitoring, deep packet inspection, firewall enforcement, and QoS policy enforcement at the virtual switch layer. Windows Server 2012 R2 includes several built-in extensions, and third-party vendors (such as Cisco, Juniper, and NEC) provide additional extensions for advanced networking features.

Types of Hyper-V Switch Extensions

There are three types of Hyper-V switch extensions:

  • Capturing Extensions: Observe and capture packets without modifying them. Used for monitoring, IDS/IPS integration, and traffic analysis. They run in pass-through mode and cannot block or modify traffic
  • Filtering Extensions: Can inspect and either pass or drop packets. Used for firewalls, ACL enforcement, and security policy. They can modify packet content
  • Forwarding Extensions: Control how packets are forwarded through the switch, replacing the default forwarding behaviour. Only one forwarding extension can be active per switch. Used for SDN (Software Defined Networking) and advanced switching scenarios

Built-in Extensions in Windows Server 2012 R2

Windows Server 2012 R2 includes the following built-in extensions:

  • Microsoft Windows Filtering Platform: A capturing/filtering extension that integrates with Windows Filtering Platform (WFP) for network packet filtering
  • Microsoft Hyper-V Network Virtualization Filter Driver: The HNV NVGRE encapsulation extension used for network virtualisation
  • Microsoft Azure VFP Switch Extension: Virtual Filtering Platform used in Azure environments

Prerequisites

  • Windows Server 2012 R2 with Hyper-V role installed
  • At least one virtual switch created
  • Third-party extensions installed via their vendor’s installation package (if using non-built-in extensions)

Step 1 — View Installed Extensions

List all switch extensions installed on the Hyper-V host:

Get-VMSystemSwitchExtension

View extensions currently active on a specific virtual switch:

Get-VMSwitchExtension -VMSwitchName "ExternalSwitch"

The output shows each extension’s Name, Enabled status, and Running status. An extension can be installed but not enabled on a particular switch.

Step 2 — Enable or Disable an Extension

Enable an extension on a specific virtual switch:

Enable-VMSwitchExtension -VMSwitchName "ExternalSwitch" -Name "Microsoft Windows Filtering Platform"

Disable an extension:

Disable-VMSwitchExtension -VMSwitchName "ExternalSwitch" -Name "Microsoft Windows Filtering Platform"

Enable the HNV filter driver (required for Network Virtualisation):

Enable-VMSwitchExtension -VMSwitchName "HNV-Switch" -Name "Microsoft Hyper-V Network Virtualization Filter Driver"

Step 3 — View Extension Status on All Switches

Get-VMSwitch | ForEach-Object {
    $Switch = $_
    Get-VMSwitchExtension -VMSwitchName $Switch.Name | Select-Object @{N='Switch';E={$Switch.Name}}, Name, Enabled, Running
} | Format-Table -AutoSize

Step 4 — Configure Extension Order

When multiple extensions of the same type are installed, their order determines which extension processes packets first. For capturing extensions, order affects which extension gets to inspect the packet before others. Configure the order:

# View current extension order:
Get-VMSwitch -Name "ExternalSwitch" | Select-Object -ExpandProperty Extensions

# Set extension order (not directly supported via Set-VMSwitch; managed through vendor tools or registry)

Step 5 — Working with Port Extensions (Per-Port Configuration)

Extensions can also operate at the per-port level, providing different behaviour for each VM’s virtual network adapter connection. View port extension settings:

Get-VMNetworkAdapter -VMName "ProductionVM01" | Get-VMNetworkAdapterExtendedAcl

Add an ACL rule via the extended ACL (uses Windows Filtering Platform extension internally):

Add-VMNetworkAdapterExtendedAcl -VMName "ProductionVM01" -VMNetworkAdapterName "Network Adapter" -Action Allow -Direction Inbound -LocalIPAddress "0.0.0.0/0" -RemoteIPAddress "0.0.0.0/0" -LocalPort 80 -Protocol TCP -Weight 100

Step 6 — Configure VMSwitch ACLs via Built-in Extension

Windows Server 2012 R2 supports basic port-level ACLs that use the WFP extension under the hood:

# Block inbound RDP (port 3389) to a specific VM:
Add-VMNetworkAdapterAcl -VMName "WebServer01" -Action Deny -Direction Inbound -LocalPort 3389 -Protocol TCP

# Allow HTTP and HTTPS only (implicit deny for other inbound traffic would require additional deny rules):
Add-VMNetworkAdapterAcl -VMName "WebServer01" -Action Allow -Direction Inbound -LocalPort 80 -Protocol TCP
Add-VMNetworkAdapterAcl -VMName "WebServer01" -Action Allow -Direction Inbound -LocalPort 443 -Protocol TCP

# View ACLs on a VM's network adapter:
Get-VMNetworkAdapterAcl -VMName "WebServer01"

Step 7 — Installing a Third-Party Extension

Third-party extensions (for example, a network monitoring extension from a vendor) are installed as device drivers through standard Windows installer packages. After installation:

# Verify the extension appears in the installed extensions list:
Get-VMSystemSwitchExtension | Where-Object { $_.Name -like "*VendorName*" }

# Enable it on a specific switch:
Enable-VMSwitchExtension -VMSwitchName "ExternalSwitch" -Name "VendorName Extension"

Step 8 — Removing Extension Configurations

Remove VMNetworkAdapter ACLs:

Remove-VMNetworkAdapterAcl -VMName "WebServer01" -Action Deny -Direction Inbound -LocalPort 3389 -Protocol TCP

Remove all ACLs from a VM’s network adapter:

Get-VMNetworkAdapterAcl -VMName "WebServer01" | Remove-VMNetworkAdapterAcl

Troubleshooting Extension Issues

VMs lose network connectivity after enabling an extension: Check if a forwarding extension is conflicting with the default forwarding behaviour. Only one forwarding extension can be active per switch. Disable the extension and verify connectivity is restored before investigating further.

Extension shows as enabled but not running: This typically indicates a driver issue or incompatibility. Check the System event log for driver errors and verify the extension version is compatible with Windows Server 2012 R2.

Get-WinEvent -LogName "System" | Where-Object { $_.Message -like "*Hyper-V*" -or $_.Message -like "*VSwitch*" } | Select-Object -First 10 TimeCreated, Message

Summary

Hyper-V Switch Extensions on Windows Server 2012 R2 provide a powerful extensibility point for adding network functionality at the virtual switch layer. The built-in Windows Filtering Platform and HNV extensions cover the most common use cases for security policy enforcement and network virtualisation. Third-party extensions from network vendors enable deep packet inspection, advanced monitoring, and SDN capabilities. Understanding how to enable, order, and troubleshoot extensions ensures that your Hyper-V networking infrastructure remains functional and properly secured.