Introduction to Hyper-V Virtual Networking on Windows Server 2019
Hyper-V virtual networking is the fabric that connects virtual machines to each other, to the physical network, and to the Hyper-V host. Windows Server 2019 introduces several significant networking improvements over previous versions, including support for Software Defined Networking (SDN), the Virtual Filtering Platform (VFP) extension, Switch Embedded Teaming (SET), virtual machine queue (VMQ), SR-IOV, and enhanced network virtualisation capabilities. This guide covers creating and managing virtual switches, configuring virtual NICs, implementing network isolation, and tuning virtual network performance.
Virtual Switch Types
Hyper-V supports three virtual switch types:
External: Binds to a physical network adapter. VMs connected to this switch can communicate with the physical network, external hosts, and the internet. The Hyper-V host can also communicate on this switch via a management vNIC.
Internal: Exists only between VMs on the same host and the host itself. No physical adapter binding — traffic stays within the host.
Private: Exists only between VMs on the same host. The host cannot communicate on this switch. Used for completely isolated VM networks (e.g., test environments).
Create Virtual Switches
# List available physical network adapters
Get-NetAdapter | Select-Object Name, InterfaceDescription, Status, LinkSpeed | Format-Table
# Create an External virtual switch bound to a specific NIC
New-VMSwitch -Name "External-vSwitch" `
-NetAdapterName "Ethernet" `
-AllowManagementOS $true `
-Notes "Production external switch"
# Create an Internal switch (host can communicate with VMs)
New-VMSwitch -Name "Internal-vSwitch" `
-SwitchType Internal `
-Notes "Internal management network"
# Create a Private switch (isolated VM-to-VM only)
New-VMSwitch -Name "Private-vSwitch" `
-SwitchType Private `
-Notes "Isolated test network"
# List all virtual switches
Get-VMSwitch | Select-Object Name, SwitchType, NetAdapterInterfaceDescription, AllowManagementOS | Format-TableConfigure Switch Embedded Teaming (SET)
SET is a Hyper-V-integrated NIC teaming solution that combines multiple physical NICs at the virtual switch level, providing bandwidth aggregation and redundancy without Windows NIC Teaming. SET supports up to 8 physical adapters per team and is required for SR-IOV and RDMA combined with vSwitch:
# Create an External switch with SET (team two NICs)
New-VMSwitch -Name "External-SET-vSwitch" `
-NetAdapterName "Ethernet","Ethernet 2" `
-EnableEmbeddedTeaming $true `
-AllowManagementOS $true
# Verify SET configuration
Get-VMSwitch -Name "External-SET-vSwitch" |
Select-Object Name, EmbeddedTeamingEnabled, NetAdapterInterfaceDescriptions | Format-List
# Check SET team members
Get-VMSwitchTeam -Name "External-SET-vSwitch"Add and Configure Virtual NICs on VMs
# Add a virtual NIC to an existing VM
Add-VMNetworkAdapter -VMName "MyVM" -Name "Production NIC" -SwitchName "External-vSwitch"
# Connect an existing vNIC to a different switch
Connect-VMNetworkAdapter -VMName "MyVM" -Name "Production NIC" -SwitchName "Internal-vSwitch"
# Set a static MAC address on a vNIC
Set-VMNetworkAdapter -VMName "MyVM" -Name "Production NIC" `
-StaticMacAddress "00-15-5D-01-02-03"
# Enable dynamic MAC address (default)
Set-VMNetworkAdapter -VMName "MyVM" -Name "Production NIC" -DynamicMacAddressEnabled $true
# List all vNICs on a VM
Get-VMNetworkAdapter -VMName "MyVM" |
Select-Object VMName, Name, SwitchName, MacAddress, IPAddresses | Format-TableConfigure VLAN Tagging
VLAN configuration on Hyper-V vNICs allows you to segment traffic between VMs and into the physical network. Access mode tags all traffic from the VM with a specific VLAN ID. Trunk mode passes multiple VLAN tags through to the VM (used for virtual appliances and VMs acting as network devices):
# Set a VM's vNIC to access mode on VLAN 10
Set-VMNetworkAdapterVlan -VMName "WebServer01" -VMNetworkAdapterName "Production NIC" `
-Access -VlanId 10
# Set to trunk mode (pass VLANs 10, 20, 30 to the VM)
Set-VMNetworkAdapterVlan -VMName "RouterVM" -VMNetworkAdapterName "Trunk NIC" `
-Trunk -AllowedVlanIdList "10,20,30" -NativeVlanId 1
# Set the host management vNIC VLAN (isolates host management traffic)
Set-VMNetworkAdapterVlan -ManagementOS -VMNetworkAdapterName "vEthernet (External-vSwitch)" `
-Access -VlanId 100
# View VLAN configuration
Get-VMNetworkAdapterVlan -VMName "WebServer01" | Format-ListConfigure Bandwidth Management (QoS)
Bandwidth management policies prevent individual VMs from consuming all available network bandwidth, ensuring fair distribution and priority-based allocation:
# Set minimum bandwidth (guaranteed) and maximum bandwidth (limit) on a vNIC
# Values are in Mbps
Set-VMNetworkAdapter -VMName "WebServer01" -Name "Production NIC" `
-MinimumBandwidthAbsolute 100MB `
-MaximumBandwidth 1GB
# Alternative: use weight-based bandwidth allocation
# Weight range: 1-100, proportional to other VMs on same switch
Set-VMNetworkAdapter -VMName "HighPriorityVM" -Name "Production NIC" `
-MinimumBandwidthWeight 50
Set-VMNetworkAdapter -VMName "LowPriorityVM" -Name "Production NIC" `
-MinimumBandwidthWeight 10
# View bandwidth settings
Get-VMNetworkAdapter -VMName "WebServer01" |
Select-Object VMName, MinimumBandwidthAbsolute, MaximumBandwidth | Format-TableConfigure MAC Address Spoofing and Guest Teaming
# Enable MAC address spoofing (required for some load balancer VMs and nested Hyper-V)
Set-VMNetworkAdapter -VMName "LoadBalancerVM" -Name "NIC1" -MacAddressSpoofing On
# Enable DHCP Guard (prevents VMs from acting as DHCP servers)
Set-VMNetworkAdapter -VMName "WorkstationVM" -Name "Production NIC" -DhcpGuard On
# Enable Router Guard (prevents VMs from sending Router Advertisement messages)
Set-VMNetworkAdapter -VMName "WorkstationVM" -Name "Production NIC" -RouterGuard On
# Enable Port Mirroring (mirror all traffic from one vNIC to another for monitoring)
Set-VMNetworkAdapter -VMName "MonitorVM" -Name "Mirror NIC" -PortMirroring Destination
Set-VMNetworkAdapter -VMName "WebServer01" -Name "Production NIC" -PortMirroring SourceEnable SR-IOV for High-Performance VMs
SR-IOV (Single Root I/O Virtualisation) allows VMs to access the physical NIC hardware directly via virtual functions, bypassing the virtual switch software layer and achieving near-native network performance with very low latency:
# Create an SR-IOV enabled virtual switch (physical NIC must support SR-IOV)
New-VMSwitch -Name "SRIOV-vSwitch" `
-NetAdapterName "Ethernet" `
-EnableIov $true `
-AllowManagementOS $true
# Enable SR-IOV on a VM's vNIC
Set-VMNetworkAdapter -VMName "HighPerfVM" -Name "SRIOV NIC" `
-IovWeight 100 # 1-100, higher = more virtual functions assigned
# Verify SR-IOV is active
Get-VMNetworkAdapter -VMName "HighPerfVM" |
Select-Object VMName, IovWeight, IovVirtualFunctionAssigned | Format-TableMonitor Virtual Network Performance
# Get network statistics for all VMs
Get-VMNetworkAdapter * |
Select-Object VMName, Name,
@{n="BytesSentMB";e={[math]::Round($_.BytesSent/1MB,1)}},
@{n="BytesReceivedMB";e={[math]::Round($_.BytesReceived/1MB,1)}} |
Format-Table
# Monitor virtual switch bandwidth using performance counters
Get-Counter "Hyper-V Virtual Switch(*)Bytes Sent/sec" -SampleInterval 5 -MaxSamples 3
Get-Counter "Hyper-V Virtual Switch(*)Bytes Received/sec" -SampleInterval 5 -MaxSamples 3
# Check for dropped packets (indicates bandwidth saturation or QoS issues)
Get-Counter "Hyper-V Virtual Switch(*)Dropped Packets Outgoing/sec" -SampleInterval 5 -MaxSamples 3Summary
Hyper-V virtual networking on Windows Server 2019 provides a rich set of features for both simple VM connectivity and advanced enterprise scenarios. External switches with SET teaming provide redundancy without dedicated hardware. VLANs segment traffic at the virtual switch level. Bandwidth management policies ensure fair resource allocation. DHCP Guard and Router Guard protect against rogue VM behaviour. SR-IOV delivers near-native performance for latency-sensitive workloads. Understanding and correctly applying these features is fundamental to building a reliable and secure Hyper-V infrastructure.
