Introduction to VLANs on Windows Server 2019

Virtual LAN (VLAN) support in Windows Server 2019 allows you to logically segment your network into multiple isolated broadcast domains on the same physical infrastructure. In a Windows Server context, VLANs are typically configured on virtual network adapters in Hyper-V, on NIC Team interfaces (LBFO team NICs), or directly on physical adapters that support VLAN tagging. VLANs allow you to separate management traffic, storage traffic, VM traffic, and user traffic onto distinct logical networks with different security policies, bandwidth reservations, and Quality of Service (QoS) profiles — all over the same physical cables and switches.

Windows Server 2019 supports IEEE 802.1Q VLAN tagging, which adds a 4-byte tag to Ethernet frames to identify which VLAN they belong to. The switch must be configured with trunk ports or access ports to pass these tagged frames correctly.

Configuring VLAN on a Physical Adapter

Some physical network adapters support VLAN tagging in their driver without needing NIC teaming. View available adapters and check VLAN support:

Get-NetAdapter | Select Name, InterfaceDescription, Status, MacAddress

Check if the adapter supports VLAN tagging (look for VlanId in advanced properties):

Get-NetAdapterAdvancedProperty -Name "Ethernet 1" | Where-Object {$_.RegistryKeyword -like "*VLAN*"}

Set the VLAN ID on the adapter (tags all traffic from this adapter with VLAN 100):

Set-NetAdapterAdvancedProperty -Name "Ethernet 1" -RegistryKeyword "VlanId" -RegistryValue "100"

Restart the adapter for the change to take effect:

Restart-NetAdapter -Name "Ethernet 1"

Configuring VLANs on NIC Team Interfaces

NIC Team interfaces (created with New-NetLbfoTeam) are the recommended way to configure multiple VLANs on a server without teaming switch dependencies. Create a team first:

New-NetLbfoTeam -Name "HostTeam" -TeamMembers "Ethernet 1","Ethernet 2" -TeamingMode SwitchIndependent -LoadBalancingAlgorithm HyperVPort

Add team NIC interfaces for each VLAN:

# Management VLAN - VLAN 10
Add-NetLbfoTeamNic -Team "HostTeam" -VlanID 10 -Name "HostTeam-MGMT"

# Live Migration VLAN - VLAN 20
Add-NetLbfoTeamNic -Team "HostTeam" -VlanID 20 -Name "HostTeam-LiveMig"

# Storage VLAN - VLAN 30
Add-NetLbfoTeamNic -Team "HostTeam" -VlanID 30 -Name "HostTeam-Storage"

# Cluster Heartbeat VLAN - VLAN 40
Add-NetLbfoTeamNic -Team "HostTeam" -VlanID 40 -Name "HostTeam-Cluster"

Assign static IPs to each VLAN interface:

New-NetIPAddress -InterfaceAlias "HostTeam-MGMT" -IPAddress 10.10.0.100 -PrefixLength 24 -DefaultGateway 10.10.0.1
New-NetIPAddress -InterfaceAlias "HostTeam-LiveMig" -IPAddress 10.20.0.100 -PrefixLength 24
New-NetIPAddress -InterfaceAlias "HostTeam-Storage" -IPAddress 10.30.0.100 -PrefixLength 24
New-NetIPAddress -InterfaceAlias "HostTeam-Cluster" -IPAddress 10.40.0.100 -PrefixLength 24

Configuring VLANs on Hyper-V Virtual Switches

When running Hyper-V, configure VLANs on virtual switch ports to isolate VM traffic. Create an external virtual switch bound to the management team:

New-VMSwitch -Name "ExternalSwitch" -NetAdapterName "HostTeam-VMs" -AllowManagementOS $true

Assign a VLAN to a specific VM’s virtual adapter:

Set-VMNetworkAdapterVlan -VMName "WebServer01" -VlanId 100 -Access

Configure trunk mode on a VM adapter (allows the VM to process its own 802.1Q tags, useful for firewalls or routers running as VMs):

Set-VMNetworkAdapterVlan -VMName "RouterVM" -Trunk -AllowedVlanIdList "10,20,30,40,100-200" -NativeVlanId 1

View VLAN configuration on all VMs:

Get-VM | Get-VMNetworkAdapterVlan | Select VMName, OperationMode, AccessVlanId, AllowedVlanIdList

Configuring QoS Policies per VLAN

Apply DSCP tagging to differentiate traffic types for QoS at the switch level:

# Tag storage traffic with DSCP 46 (EF - Expedited Forwarding)
New-NetQosPolicy -Name "Storage Traffic" -IPDstPrefix "10.30.0.0/24" -DSCPAction 46

# Tag management traffic with DSCP 24
New-NetQosPolicy -Name "Management Traffic" -IPDstPrefix "10.10.0.0/24" -DSCPAction 24

Enable DCB (Data Center Bridging) for lossless storage network traffic:

Install-WindowsFeature -Name "Data-Center-Bridging"
Enable-NetQosDcbxSetting -Willing $false
New-NetQosTrafficClass -Name "SMB Direct" -Priority 3 -BandwidthPercentage 50 -Algorithm ETS

Verifying VLAN Configuration

Check the team NIC interfaces and their VLAN assignments:

Get-NetLbfoTeamNic | Select Name, VlanId, Team

Verify IP configuration per VLAN interface:

Get-NetIPAddress | Where-Object {$_.AddressFamily -eq "IPv4"} | Select InterfaceAlias, IPAddress, PrefixLength

Test VLAN connectivity with ping:

Test-NetConnection -ComputerName 10.30.0.101 -InterfaceAlias "HostTeam-Storage" -InformationLevel Detailed

Proper VLAN configuration on Windows Server 2019 is fundamental to a well-designed network where storage, cluster, live migration, and management traffic are isolated from each other to prevent interference and ensure predictable performance.