connected to the port or at a VM level running on the host. Additionally, for a
tagged port, it is possible to configure inclusions and exclusions for the VLAN IDs
accepted on that port. For example, a port configured as tagged may be configured
to allow only VLAN ID 10 through. A trunk port would be configured with all of
the VLAN IDs that needed to be passed between switches.
When a port is configured as untagged, that port does not require traffic to be
tagged with a VLAN ID and will instead automatically tag traffic with the default
VLAN ID configured on the port for traffic received from the host and going out to
other hosts or switches. For inbound traffic to the switch going to the host, the
VLAN ID is stripped out and the packet is sent to the host. On many switches, all
ports are configured by default as untagged with a VLAN ID of 1.
To summarize:
Tagged The port expects traffic to be tagged when receiving.
Untagged The port expects traffic to not be tagged and will apply a default
VLAN ID. Any traffic that has a VLAN tag will be dropped.
Another limitation with VLANs is the number of VLANs that can be supported in an
environment, which is 4,095, because the VLAN ID in the header is 12 bits long, and
one VLAN ID is not usable. So 4,095 is the theoretical number, but most switches
limit the number of usable VLANs to 1,000. This may still seem like a lot, but if an
organization is a host with thousands of clients, then the 1,000 limitation, or even
4,095, would make it an unusable solution. Also, remember the complexity issue. If
you have 1,000 VLANs over hundreds of servers, managing them would not be a
pleasant experience!
VLANs and Hyper-V
Even with the pain points of VLANs, the reality is that you are probably using VLANs,
will still use them for some time even when using Network Virtualization, and want to
use them with your virtual machines. It is completely possible to have some virtual
machines in one VLAN and other virtual machines in other VLANs. While there are
different ways to perform configuration of VLANs, with Hyper-V there is really one
supported and reliable way to use them and maintain manageability and
troubleshooting ability:
Configure the switch port that is connected to the Hyper-V host in tagged mode
and configure it to have inclusions for all of the VLAN IDs that will be used by VMs
connected to that host. Another option is to run the port essentially in a trunk-type
mode and allow all VLAN IDs through the port to avoid potential configuration
challenges when a new VLAN ID is used by a VM on the host. Definitely do not
configure the port as untagged with any kind of default VLAN ID. I cannot stress
this enough. If a switch port is configured as untagged and it receives traffic that is
tagged, that traffic will be dropped even if the VLAN ID matches the VLAN the port