Virtual Local Area Networks in Windows

The use of virtual local area networks (VLAN) is commonly associated with managed switches and router subinterfaces. However, it is not exactly so. A direct transmission of tagged frames to servers can be a good solution in some particular situations. It must be mentioned that this article is only a brief description of how to make it work and it is up to the reader to decide what situation will need such a realization or when the use of trunk is possible.

To proceed, we need two devices: a managed switch with 802.1q support and a network card with drivers supporting the same trunk protocol. It is important to mention that switches using only ISL will not fit here because of the drivers that support only 802.1p/802.1q encapsulation. We will configure the server based on the Microsoft Windows operating system.

The current Marvell NIC drivers support VLANs and link aggregation. To show how simple the solution can be, we use a PC (hereafter called the test server) with Windows XP x64 Professional SP2 Eng operating system on which we have installed the latest NIC drivers (available on the vendor’s website) and the control utility (Network Control Utility for Aggregation and VLANs in x86 & x64 XP, Server 2003, Vista, Server 2008) for Marvell Yukon 88E8001/8003/8010 PCI Gigabit Ethernet Controller.

From the additional tabs that appeared in the option panel we select VLAN tab. In the Existing VLANs list we need to add new VLAN IDs which we are going to use. We add two virtual LANs (2 and 3).

As a result, two new virtual network adapters (one per VLAN) will be added to the original physical controller and will become available in “Network Connections”. On the main (physical) NIC only Marvell VLAN Protocol will be enabled.

Then, in the adapter option panel of other connections we go to the Advanced tab to check that each NIC is assigned to the associated VLAN ID.

Now we need to configure network parameters and assign IP addresses to the virtual network adapters. This could be done manually or via DHCP (at this step the trunk is not up yet so DHCP leasing is not available). We decided to configure the IP parameters manually.

C:\>ipconfig /all
Windows IP Configuration
Host Name . . . . . . . . . . . . : FOX
Primary Dns Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Unknown
IP Routing Enabled. . . . . . . . : Yes
WINS Proxy Enabled. . . . . . . . : No
Ethernet adapter Local:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : VLAN 3: Marvell Yukon 88E8001/8003/8010 PCI Gigabit Ethernet Controller
Physical Address. . . . . . . . . : 00-1B-FC-E1-E2-FF
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 192.168.0.1
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . :
Ethernet adapter Inet:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : VLAN 2: Marvell Yukon 88E8001/8003/8010 PCI Gigabit Ethernet Controller
Physical Address. . . . . . . . . : 00-1B-FC-E1-E2-FF
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 192.168.1.2
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.1.1
DNS Servers . . . . . . . . . . . : 192.168.1.1

Such model can be used for building a server with a direct access from several VLANs via only OSI Layer-2 devices. Another application of the model can be a server configuration that enables network and port address translation (NAT/PAT). Let us configure a test bench, which will allow a notebook (laptop) to connect to the internet through a desktop computer by using ICS (Internet Connection Sharing). ICS configuration in Windows XP is described here. The test server is configured in the same way.

Now we need to configure the switch our devices are connected to. In our case it was Cisco Catalyst WS-C2960G-24TC-L, its IOS version is presented below. Some inessential parts are omitted.

WS-C2960G-24TC-L#sho ver
Cisco IOS Software, C2960 Software (C2960-LANBASEK9-M), Version 12.2(46)SE, RELEASE SOFTWARE (fc2)
Copyright (c) 1986-2008 by Cisco Systems, Inc.
Compiled Thu 21-Aug-08 15:59 by nachen
Image text-base: 0x00003000, data-base: 0x01200000
ROM: Bootstrap program is C2960 boot loader
BOOTLDR: C2960 Boot Loader (C2960-HBOOT-M) Version 12.2(25r)SEE1, RELEASE SOFTWARE (fc1)
WS-C2960G-24TC-L uptime is 32 minutes
System returned to ROM by power-on
System image file is "flash:c2960-lanbasek9-mz.122-46.SE.bin"
cisco WS-C2960G-24TC-L (PowerPC405) processor (revision D0) with 61440K/4088K bytes of memory.
Processor board ID FOC1209U0D2
Last reset from power-on
1 Virtual Ethernet interface
24 Gigabit Ethernet interfaces
The password-recovery mechanism is enabled.
64K bytes of flash-simulated non-volatile configuration memory.
Base ethernet MAC Address : 00:1F:C9:24:13:00
Motherboard assembly number : 73-10015-06
Power supply part number : 341-0098-01
Motherboard serial number : FOC12090HR4
Power supply serial number : AZS120515AU
Model revision number : D0
Motherboard revision number : A0
Model number : WS-C2960G-24TC-L
System serial number : FOC1209U0D2
Top Assembly Part Number : 800-26673-03
Top Assembly Revision Number : B0
Version ID : V03
CLEI Code Number : 453091
Hardware Board Revision Number : 0x01
Switch Ports Model SW Version SW Image
------ ----- ----- ---------- ----------
* 1 24 WS-C2960G-24TC-L 12.2(46)SE C2960-LANBASEK9-M
Configuration register is 0xF

After the switch is loaded, we erase its configuration and use the initial config. Firstly, we choose Transparent as a VTP mode, though for large corporate networks this part of configuration may differ substantially.

WS-C2960G-24TC-L#sho vtp sta
VTP Version : running VTP1 (VTP2 capable)
Configuration Revision : 0
Maximum VLANs supported locally : 255
Number of existing VLANs : 7
VTP Operating Mode : Transparent
VTP Domain Name :
VTP Pruning Mode : Disabled
VTP V2 Mode : Disabled
VTP Traps Generation : Disabled
MD5 digest : 0x74 0xAD 0xAC 0x6F 0xD1 0x5C 0xBB 0x8B
Configuration last modified by 0.0.0.0 at 0-0-00 00:00:00

Then we create virtual LANs in the switch configuration and add its physical interfaces to these VLANs. We use Gi0/20 port for internet connections; whereas Gi0/19 faces the local network. The description of Cisco switch configuration is out of scope of this article.

WS-C2960G-24TC-L#sho vla bri
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Gi0/2, Gi0/3, Gi0/4, Gi0/5
Gi0/6, Gi0/7, Gi0/8, Gi0/9
Gi0/10, Gi0/11, Gi0/12, Gi0/13
Gi0/14, Gi0/15, Gi0/16, Gi0/17
Gi0/18, Gi0/21, Gi0/22, Gi0/23
Gi0/24
2 2Inet active Gi0/20
3 2Local active Gi0/19
1002 fddi-default act/unsup
1003 token-ring-default act/unsup
1004 fddinet-default act/unsup
1005 trnet-defaultact/unsup

Gi0/1 port is connected to the routing server through the trunk. Results of configuration are listed below.

interface GigabitEthernet0/1
description 2TaggedCompRouter
switchport trunk allowed vlan 2,3
switchport mode trunk
!
interface GigabitEthernet0/2
!
interface GigabitEthernet0/18
!
interface GigabitEthernet0/19
description 2Local
switchport access vlan 3
switchport mode access
!
interface GigabitEthernet0/20
description 2Inet
switchport access vlan 2
switchport mode access

Other L2 devices can be configured in the same way. An example of switch configuration for Linksys RVS4000 is shown below.

Let’s go back to our test bench (WS-C2960G-24TC-L) and check its bridge table to make sure that both devices on trunk endpoints properly identify dot1q-encupsulation received from each other. We see that the MAC address 001b.fce1.e2ff is visible in the both VLANs.

WS-C2960G-24TC-L#sho mac add dy
Mac Address Table
-------------------------------------------
Vlan Mac Address Type Ports
---- ----------- -------- -----
2 001b.fce1.e2ff DYNAMIC Gi0/1
2 001c.10f4.c166 DYNAMIC Gi0/20
3 001b.fce1.e2ff DYNAMIC Gi0/1
3 0022.1516.3cbe DYNAMIC Gi0/19
Total Mac Addresses for this criterion: 4
WS-C2960G-24TC-L#

Now we make network settings for ASUS Eee PC 900 notebook (see the listing below) and connect it to Gi0/19 switch port by the patch-cord.

Windows IP Configuration
Host Name . . . . . . . . . . . . : fox
Primary Dns Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Unknown
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Atheros L2 Fast Ethernet 10/100 Base-T Controller
Physical Address. . . . . . . . . : 00-22-15-16-3C-BE
DHCP Enabled. . . . . . . . . . . : No
IPv4 Address. . . . . . . . . . . : 192.168.0.2
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.0.1
DNS Servers . . . . . . . . . . . : 192.168.100.1

The only thing left is to check that the internet can be accessed from the server as well as from the test laptop through the routing server. Part of the network hops the data pass through is deliberately hidden; the reader shouldn’t be confused by this fact.

Tracing route to www.ru [194.87.0.50]
over a maximum of 30 hops:
1 1 ms 1 ms 1 ms 192.168.1.1
2 * * * Request timed out.
3 * * * Request timed out.
4 * * * Request timed out.
5 * * * Request timed out.
6 19 ms 12 ms 12 ms 83.217.192.169
7 10 ms 11 ms 13 ms 193.232.244.35
8 22 ms 32 ms 15 ms 194.87.0.111
9 10 ms 18 ms 19 ms 194.87.0.50
Trace complete.

We see that the internet is accessed from the server. Now we trace the route to the same internet address from the notebook.

Tracing route to www.ru [194.87.0.50]
over a maximum of 30 hops:
1 1 ms <1 мс <1 мс 192.168.0.1
2 1 ms 1 ms 1 ms 192.168.1.1
3 * * * Request timed out.
4 * * * Request timed out.
5 * * * Request timed out.
6 * * * Request timed out.
7 22 ms 17 ms 22 ms 83.217.192.169
8 10 ms 19 ms 20 ms 193.232.244.35
9 19 ms 13 ms 16 ms 194.87.0.111
10 18 ms 13 ms 13 ms 194.87.0.50
Trace complete.

The route tracing shows the desirable result: the packets sent from the laptop to the internet reach the test server in the first hop. The diagram below shows how the traffic passes through the test bench. Such configuration enables to install on this soft router a billing solution, or network statistics software, or antiviral software, or any other software.

It is important to mention that in such model the trunk is going to be loaded with twice more traffic as each packet is transmitted from the switch to the routing server first and then sent back to the switch over the same physical link.

The model we demonstrate allows connecting the server via trunk. Due to this cheaper routers hardware and a fewer number of switch ports are needed for such server connection.

Add comment


Security code
Refresh

Found a typo? Please select it and press Ctrl + Enter.