Forum Discussion
Issue with Hyper-V VM on Tagged VLAN – Traffic Reaches Local Hosts but Not External Networks
Hi everyone, I’m having an issue getting a Hyper-V VM to work correctly when using a tagged VLAN interface.
I have a test VM configured with a trunk port and a tagged VLAN.
Here is the configuration I’m using:
Set-VMNetworkAdapterVlan -VMName "testvlan" -Trunk -NativeVlanId 2 -AllowedVlanIdList "4"
The strange part is this:
When the VM is on VLAN 4 (tagged), it can reach other resources on the same VLAN as long as those resources are running on the same Hyper-V host.
But if the target resource is outside the Hyper-V host, the VM cannot reach it at all.
The hardware vendor has already ruled out any issue with the top-of-rack switches interconnecting the hosts.
If I reconfigure the VM’s network adapter in access mode on the same VLAN, then all traffic works normally and the VM can reach resources outside the host without any problem.
So it seems that traffic leaves the host correctly only when the adapter is in access mode, not when using a trunk with VLAN tagging. Has anyone seen this behavior before or has suggestions on what to check next?
1 Reply
Would suggest trying on below:
1. Confirm host vSwitch and adapters
o List vSwitches:Get-VMNetworkAdapterVlan -VMName "testvlan"
o Check host VLAN on the vSwitch adapter: the host vNIC bound to the external vSwitch should show no VLAN ID.
2. Validate VM adapter state
o Show VLAN mode:Get-VMNetworkAdapterVlan -VMName "testvlan"
o Expect Trunk, AllowedVlanIdList = 4, NativeVlanId = 2.
3. Packet capture on host uplink
o Use a lightweight capture (e.g., Wireshark) on the physical NIC bound to the external vSwitch.
o Expected outbound frames to external targets carry 802.1Q tag 4 when the VM is on VLAN 4; replies should also arrive with tag 4.
o If tags are missing outbound: host/driver offload or vSwitch config is stripping tags.
o If tags arrive but no replies: upstream switch isn’t forwarding VLAN 4 or has ACLs/VRFs blocking.
4. Switch-side verification
o Show interface trunk status: confirm VLAN 4 is permitted and not pruned.
o Native/PVID: if you set NativeVlanId 2, ensure the switch port’s native/PVID is 2; consider removing native VLAN usage and operate all VM traffic as tagged to simplify.
5. Eliminate guest NIC VLAN conflicts
o If the guest OS NIC driver has VLAN features enabled, choose one of these patterns:
Hyper V tags, guest untagged: VM NIC untagged, Hyper V vNIC trunk adds/removes tags based on port setting.
Guest tags, Hyper V pass through: Set VM’s Hyper V vNIC to trunk but do not set a native; let the guest NIC tag VLAN 4.
o Avoid double configuration that leads to double tag or unexpected untagged frames.
6. Test without NativeVlanId
o Temporarily remove the native VLAN to reduce ambiguity:Set-VMNetworkAdapterVlan -VMName "testvlan" -Trunk -AllowedVlanIdList 4
o Ensure the switch port has no native VLAN expectations for this traffic.
7. Driver/offload sanity check
o Temporarily disable VLAN offload features on the physical NIC. Some drivers mishandle 802.1Q with certain offloads enabled.
o Update NIC drivers/firmware; known issues can present exactly as “works intra-host, breaks off-host.”
