How to Set Up Hyper-V Nested Virtualisation on Windows Server 2022

Introduction to Hyper-V Virtual Networking

Virtual networking is one of the most complex and important aspects of a Hyper-V deployment on Windows Server 2022. The Hyper-V Virtual Switch is a Layer 2 software switch that runs in the hypervisor and provides connectivity between virtual machines and between VMs and the physical network. Beyond basic connectivity, the Hyper-V virtual switch supports advanced features including VLAN tagging, bandwidth management, SR-IOV passthrough, port mirroring, and extensible switch extensions. This guide covers virtual switch architecture, network adapter management, VLAN configuration, bandwidth limiting, and common troubleshooting steps.

Hyper-V Virtual Switch Architecture

The Hyper-V Virtual Switch operates in the management OS partition (the host) and is accessible to all virtual machine partitions through the Virtual Machine Bus (VMBus), a high-speed memory-mapped communication channel. When a Generation 2 VM sends network traffic, the synthetic network adapter in the VM communicates directly with the Virtual Switch via VMBus, bypassing the device emulation layer entirely. This results in significantly lower CPU overhead and higher throughput than emulated adapters.

Each virtual network adapter attached to a VM creates a port on the virtual switch. The switch applies per-port policies including VLAN membership, bandwidth caps, MAC address restrictions, and security settings like DHCP guard and router guard. Switch-level extensions (from Microsoft or third-party vendors) can apply additional policies such as monitoring, filtering, and forwarding rules across all switch ports simultaneously.

Managing Virtual Network Adapters

Virtual machines can have multiple network adapters connected to different virtual switches, enabling segregated management, storage, and production traffic on separate virtual networks. Add a new network adapter to a stopped or running VM:

Add-VMNetworkAdapter -VMName "WebServer01" -SwitchName "ExternalSwitch" -Name "ProductionNIC"

Add a second adapter connected to a different switch for a dedicated storage or backup network:

Add-VMNetworkAdapter -VMName "WebServer01" -SwitchName "StorageSwitch" -Name "StorageNIC"

List all network adapters attached to a VM:

Get-VMNetworkAdapter -VMName "WebServer01"

Connect a network adapter to a different switch:

Connect-VMNetworkAdapter -VMName "WebServer01" -Name "ProductionNIC" -SwitchName "InternalSwitch"

Disconnect a network adapter from all switches (leaves it in an unconnected state):

Disconnect-VMNetworkAdapter -VMName "WebServer01" -Name "StorageNIC"

Remove a network adapter from a VM:

Remove-VMNetworkAdapter -VMName "WebServer01" -Name "StorageNIC"

Update settings on an existing adapter, such as enabling MAC address spoofing:

Set-VMNetworkAdapter -VMName "WebServer01" -Name "ProductionNIC" -MacAddressSpoofing On

VLAN Configuration and Tagging

VLAN tagging in Hyper-V allows virtual machines to be logically segmented at Layer 2 without requiring separate physical networks. The Hyper-V Virtual Switch can operate in access mode (assigning a VM to a single VLAN) or trunk mode (passing multiple VLAN tags to a VM, typically used for network appliances). Configure a VM network adapter to operate in VLAN access mode, assigning it to VLAN 100:

Set-VMNetworkAdapterVlan -VMName "WebServer01" -VMNetworkAdapterName "ProductionNIC" `
                         -Access -VlanId 100

Configure trunk mode on a VM adapter, allowing VLANs 100 through 110 to pass through, with VLAN 1 as the native (untagged) VLAN:

Set-VMNetworkAdapterVlan -VMName "RouterVM01" -VMNetworkAdapterName "TrunkNIC" `
                         -Trunk -AllowedVlanIdList "100-110" -NativeVlanId 1

Verify the VLAN configuration on a VM’s adapters:

Get-VMNetworkAdapterVlan -VMName "WebServer01"

Remove VLAN tagging from an adapter (revert to untagged/access on VLAN 0):

Set-VMNetworkAdapterVlan -VMName "WebServer01" -VMNetworkAdapterName "ProductionNIC" -Untagged

VLAN configuration on the virtual switch port is independent of the physical switch trunk configuration. Ensure the physical switch port connected to the external virtual switch is configured as a trunk port carrying all the VLANs you intend to use in your virtual environment.

Bandwidth Management

Hyper-V bandwidth management allows administrators to control the minimum and maximum network throughput allocated to each VM network adapter. This prevents a single VM from saturating the physical network adapter and impacting other VMs on the host. Bandwidth settings are specified in bits per second. Set a minimum bandwidth of 100 Mbps and maximum of 1 Gbps on a VM adapter:

Set-VMNetworkAdapter -VMName "WebServer01" -Name "ProductionNIC" `
                     -MinimumBandwidthAbsolute 100000000 `
                     -MaximumBandwidth 1000000000

Alternatively, use weight-based minimum bandwidth (relative to other VMs on the same switch). The weight is a value from 1 to 100:

Set-VMNetworkAdapter -VMName "WebServer01" -Name "ProductionNIC" `
                     -MinimumBandwidthWeight 50

Note that you cannot mix absolute and weight-based bandwidth management on the same virtual switch — you must configure the switch for one mode. Configure the switch bandwidth mode when creating it:

New-VMSwitch -Name "ExternalSwitch" -NetAdapterName "Ethernet" `
             -AllowManagementOS $true `
             -MinimumBandwidthMode Absolute

Check current bandwidth settings for a VM adapter:

Get-VMNetworkAdapterBandwidthSetting -VMName "WebServer01"

SR-IOV: Single Root I/O Virtualisation

SR-IOV is a hardware feature that allows a single physical network adapter to present multiple independent virtual functions (VFs) directly to virtual machines, bypassing the Hyper-V Virtual Switch entirely. This delivers near line-rate performance with minimal CPU overhead, making SR-IOV ideal for latency-sensitive workloads like financial applications, HPC, and high-throughput network functions. SR-IOV requires a physical adapter that supports it (most modern Intel X710, Mellanox ConnectX, and similar server adapters), and the virtual switch must be created with SR-IOV enabled:

New-VMSwitch -Name "SriovSwitch" -NetAdapterName "Intel X710" `
             -AllowManagementOS $true `
             -EnableIov $true

Enable SR-IOV on a specific VM network adapter:

Set-VMNetworkAdapter -VMName "HPC-Node01" -Name "DataNIC" -IovWeight 100

Verify that SR-IOV is active on the adapter (the IovUsage property will show VF when a virtual function is actively assigned):

Get-VMNetworkAdapterSriovSetting -VMName "HPC-Node01"

MAC Address Management

Hyper-V assigns MAC addresses to virtual network adapters from a configurable pool. The default MAC address range is 00-15-5D-xx-xx-xx (Microsoft’s IEEE-assigned OUI). In large environments or when using VM mobility features, you may need to adjust the MAC address range to prevent conflicts with other Hyper-V hosts on the same network.

View and configure the host’s MAC address pool:

Get-VMHost | Select-Object MacAddressMinimum, MacAddressMaximum

Set-VMHost -MacAddressMinimum "00155D010000" -MacAddressMaximum "00155D01FFFF"

Assign a static MAC address to a specific VM adapter (useful when MAC-based DHCP reservations are needed):

Set-VMNetworkAdapter -VMName "WebServer01" -Name "ProductionNIC" `
                     -StaticMacAddress "00-15-5D-01-00-10"

Revert to a dynamic MAC address:

Set-VMNetworkAdapter -VMName "WebServer01" -Name "ProductionNIC" -DynamicMacAddress

DHCP Guard and Router Guard

DHCP Guard prevents a VM from acting as a rogue DHCP server on the network. When enabled on a virtual switch port, any DHCP server responses originating from that VM are dropped by the virtual switch before they can reach other VMs or the physical network. This is an important security feature in multi-tenant or untrusted guest environments:

Set-VMNetworkAdapter -VMName "UserVM01" -Name "ProductionNIC" -DhcpGuard On

Router Guard prevents a VM from sending router advertisement (RA) messages, which could cause other machines to route traffic through the VM. Enable it on untrusted guest ports:

Set-VMNetworkAdapter -VMName "UserVM01" -Name "ProductionNIC" -RouterGuard On

Enable both on all untrusted VMs simultaneously using a loop:

Get-VM | Get-VMNetworkAdapter | Set-VMNetworkAdapter -DhcpGuard On -RouterGuard On

NIC Teaming Inside Virtual Machines

Windows Server 2022 guest VMs support NIC teaming using built-in Windows NIC Teaming (LBFO) within the guest, combining multiple virtual adapters into a single teamed interface for redundancy or load balancing. However, Hyper-V also supports a simpler approach: you can directly enable NIC teaming in the virtual machine configuration, which allows the guest OS to use teaming across multiple virtual adapters attached to different virtual switches or physical adapters. Enable NIC teaming at the VM configuration level:

Set-VMNetworkAdapter -VMName "WebServer01" -AllowTeaming On

Inside the guest VM, configure the team using the standard Windows NIC Teaming GUI in Server Manager or via PowerShell in the guest:

# Run inside the guest VM:
New-NetLbfoTeam -Name "ProductionTeam" `
                -TeamMembers "Ethernet","Ethernet 2" `
                -TeamingMode SwitchIndependent `
                -LoadBalancingAlgorithm Dynamic

Port Mirroring

Port mirroring on the Hyper-V Virtual Switch allows all traffic from one VM’s network adapter to be copied and sent to another VM acting as a network monitor or IDS/IPS. Configure the source VM adapter as the mirror source:

Set-VMNetworkAdapter -VMName "WebServer01" -Name "ProductionNIC" -PortMirroring Source

Configure the monitoring VM’s adapter as the mirror destination:

Set-VMNetworkAdapter -VMName "NetworkMonitor01" -Name "MonitorNIC" -PortMirroring Destination

Both the source and destination adapters must be connected to the same virtual switch. The monitoring VM will receive a copy of all traffic from the source adapter but cannot inject traffic back into the switch. Disable port mirroring:

Set-VMNetworkAdapter -VMName "WebServer01" -Name "ProductionNIC" -PortMirroring None

Virtual Switch Extensions

The Hyper-V Virtual Switch supports extensibility through drivers called Virtual Switch Extensions. Extensions can act as forwarding extensions (replacing the default forwarding behaviour), filtering extensions (inspecting and modifying packets), or monitoring extensions (capturing traffic for analysis). Microsoft ships one built-in extension: the Microsoft Windows Filtering Platform (WFP) extension, which integrates with Windows Firewall. List all installed extensions on a switch:

Get-VMSwitchExtension -VMSwitchName "ExternalSwitch"

Enable or disable a specific extension:

Enable-VMSwitchExtension -VMSwitchName "ExternalSwitch" -Name "Microsoft Windows Filtering Platform"
Disable-VMSwitchExtension -VMSwitchName "ExternalSwitch" -Name "Microsoft Windows Filtering Platform"

Troubleshooting Hyper-V Networking

When VMs lose network connectivity or cannot communicate with each other, begin troubleshooting by verifying the virtual switch configuration and the VM adapter connection status. Check that the VM adapter is connected and shows a valid switch name:

Get-VMNetworkAdapter -VMName "WebServer01" | Select-Object Name, SwitchName, Connected, MacAddress, IPAddresses

Verify the external virtual switch is bound to the physical adapter and that the adapter is up:

Get-VMSwitch -Name "ExternalSwitch" | Select-Object Name, SwitchType, NetAdapterInterfaceDescription
Get-NetAdapter | Where-Object InterfaceDescription -eq "Hyper-V Virtual Ethernet Adapter"

Check for duplicate IP addresses or VLAN mismatches. If a VM cannot reach the default gateway, confirm the VLAN ID on the VM adapter matches the VLAN configured on the physical switch port for that access port. The Event Viewer path Applications and Services Logs > Microsoft > Windows > Hyper-V-VmSwitch contains detailed virtual switch events including port state changes, policy failures, and extension errors.

Get-WinEvent -LogName "Microsoft-Windows-Hyper-V-VmSwitch/Operational" -MaxEvents 50 | Select-Object TimeCreated, Id, Message

Conclusion

The Hyper-V Virtual Switch in Windows Server 2022 is far more capable than a basic connectivity layer. By combining VLAN tagging for traffic segmentation, bandwidth management for quality of service, DHCP Guard and Router Guard for security, and SR-IOV for high-performance workloads, administrators can build sophisticated virtual network architectures entirely in software. Mastering these PowerShell cmdlets enables repeatable, scriptable network configuration across large Hyper-V deployments, and understanding the troubleshooting paths helps resolve connectivity issues efficiently.