(no major updates with 2019) Server 2012 introduced support for PVLANs, which provides isolation between virtual machines on the same VLAN. (A common example is a guest network in a hotel where all guest want to communicate with the outside world e.g. through a router - but avoid communication with each-other).
You can do this by assigning every virtual machine in a PVLAN one primary VLAN ID and one or more secondary VLAN IDs. The PVLAN ports can operate in one of three modes
- Isolated (cant communicate at layer 2)
- Promiscuous (Promiscuous ports can communicate with any port on the same primary VLAN ID - this would be the router in our hotel example)
- Community ports on the same VLAN ID can communicate at layer 2)