Hyper-V WMI–Creating External Only Virtual Switch (i.e. Do Not–Allow Management Traffic

In response to a few of my old posts Hyper-V WMI Using PowerShell Scripts – Part 5 (Creating Virtual Switchs/Networks) and Hyper-V V2: Guest Only External Networks + Add Roles Wizard Changes I’ve had a lot of people ask me how to create external virtual switches that do not allow management traffic i.e. guest only external switches or vm only external switches. 

So Here you go – do note that I am using my ProcessWMIJob function from my past posting Hyper-V WMI: Rich Error Messages for Non-Zero ReturnValue (no more 32773, 32768, 32700…).

 function CreateSwitch
    [string] $SwitchName = $null,
    [string] $PhysicalNICName = $null 

    $VirtualSwitchService = Get-WmiObject -Namespace "root\virtualization"  -Class "Msvm_VirtualSwitchManagementService"
    $CreatedSwitch = ($VirtualSwitchService.CreateSwitch([guid]::NewGuid().ToString(), $SwitchName, "1024","") `
        | ProcessWMIJob $VirtualSwitchService "CreateSwitch").CreatedVirtualSwitch

    $ExternalNic = Get-WmiObject -Namespace "root\virtualization" -Class "Msvm_ExternalEthernetPort" `
        -Filter "Name = '$PhysicalNICName'"
    $VirtualSwitchService.BindExternalEthernetPort($ExternalNic.__PATH) `
        | ProcessWMIJob $VirtualSwitchService "BindExternalEthernetPort"
    $ExternalNicEndPoint = $ExternalNic.GetRelated("CIM_LanEndpoint")
    $ExternalSwitchPort = ($VirtualSwitchService.CreateSwitchPort($CreatedSwitch, `
        [Guid]::NewGuid().ToString(), "ExternalSwitchPort", "") `
        | ProcessWMIJob $VirtualSwitchService "CreateSwitchPort").CreatedSwitchPort
    $VirtualSwitchService.ConnectSwitchPort($ExternalSwitchPort, $ExternalNicEndPoint) `
        | ProcessWMIJob $VirtualSwitchService "ConnectSwitchPort"

The process is pretty straight forward – and even more so if you consider the Hyper-V networking model…

  1. We create a new virtual switch using the CreateSwitch(…) API.  think of this as racking a new physical switch
  2. We identify the external network adapter we are going to connect to.  think of this as identifying to path port you will connect the switch to
  3. We bind the Hyper-V virtual switch driver to the physical NIC with the BindExternalEthernetPort(…) API.  think of this as plugging one end of a cable into the patch panel
  4. We identify the Lan Endpoint of the physical nic.  think of this as finding the other end of the cable from the patch panel
  5. We create an external port of the virtual switch we created in step 1.  think of this as configuring and enabling the uplink port on the new switch
  6. We connect the ports… Plug the uplink cable into the new switch.


Taylor Brown
Hyper-V Enterprise Deployment Team