Virtual Local Area Networks in Windows
The use of virtual local area networks (VLAN) is commonly associated with managed switches and router subinterfaces. However, it is not exactly so. A direct transmission of tagged frames to servers can be a good solution in some particular situations. It must be mentioned that this article is only a brief description of how to make it work and it is up to the reader to decide what situation will need such a realization or when the use of trunk is possible.
To proceed, we need two devices: a managed switch with 802.1q support and a network card with drivers supporting the same trunk protocol. It is important to mention that switches using only ISL will not fit here because of the drivers that support only 802.1p/802.1q encapsulation. We will configure the server based on the Microsoft Windows operating system.
The current Marvell NIC drivers support VLANs and link aggregation. To show how simple the solution can be, we use a PC (hereafter called the test server) with Windows XP x64 Professional SP2 Eng operating system on which we have installed the latest NIC drivers (available on the vendor’s website) and the control utility (Network Control Utility for Aggregation and VLANs in x86 & x64 XP, Server 2003, Vista, Server 2008) for Marvell Yukon 88E8001/8003/8010 PCI Gigabit Ethernet Controller.
From the additional tabs that appeared in the option panel we select VLAN tab. In the Existing VLANs list we need to add new VLAN IDs which we are going to use. We add two virtual LANs (2 and 3).
As a result, two new virtual network adapters (one per VLAN) will be added to the original physical controller and will become available in “Network Connections”. On the main (physical) NIC only Marvell VLAN Protocol will be enabled.
Then, in the adapter option panel of other connections we go to the Advanced tab to check that each NIC is assigned to the associated VLAN ID.
Now we need to configure network parameters and assign IP addresses to the virtual network adapters. This could be done manually or via DHCP (at this step the trunk is not up yet so DHCP leasing is not available). We decided to configure the IP parameters manually.C:\>ipconfig /allWindows IP ConfigurationHost Name . . . . . . . . . . . . : FOXPrimary Dns Suffix . . . . . . . :Node Type . . . . . . . . . . . . : UnknownIP Routing Enabled. . . . . . . . : YesWINS Proxy Enabled. . . . . . . . : NoEthernet adapter Local:Connection-specific DNS Suffix . :Description . . . . . . . . . . . : VLAN 3: Marvell Yukon 88E8001/8003/8010 PCI Gigabit Ethernet ControllerPhysical Address. . . . . . . . . : 00-1B-FC-E1-E2-FFDHCP Enabled. . . . . . . . . . . : NoIP Address. . . . . . . . . . . . : 192.168.0.1Subnet Mask . . . . . . . . . . . : 255.255.255.0Default Gateway . . . . . . . . . :Ethernet adapter Inet:Connection-specific DNS Suffix . :Description . . . . . . . . . . . : VLAN 2: Marvell Yukon 88E8001/8003/8010 PCI Gigabit Ethernet ControllerPhysical Address. . . . . . . . . : 00-1B-FC-E1-E2-FFDHCP Enabled. . . . . . . . . . . : NoIP Address. . . . . . . . . . . . : 192.168.1.2Subnet Mask . . . . . . . . . . . : 255.255.255.0Default Gateway . . . . . . . . . : 192.168.1.1DNS Servers . . . . . . . . . . . : 192.168.1.1
Such model can be used for building a server with a direct access from several VLANs via only OSI Layer-2 devices. Another application of the model can be a server configuration that enables network and port address translation (NAT/PAT). Let us configure a test bench, which will allow a notebook (laptop) to connect to the internet through a desktop computer by using ICS (Internet Connection Sharing). ICS configuration in Windows XP is described here. The test server is configured in the same way.
Now we need to configure the switch our devices are connected to. In our case it was Cisco Catalyst WS-C2960G-24TC-L, its IOS version is presented below. Some inessential parts are omitted.WS-C2960G-24TC-L#sho verCisco IOS Software, C2960 Software (C2960-LANBASEK9-M), Version 12.2(46)SE, RELEASE SOFTWARE (fc2)Copyright (c) 1986-2008 by Cisco Systems, Inc.Compiled Thu 21-Aug-08 15:59 by nachenImage text-base: 0x00003000, data-base: 0x01200000ROM: Bootstrap program is C2960 boot loaderBOOTLDR: C2960 Boot Loader (C2960-HBOOT-M) Version 12.2(25r)SEE1, RELEASE SOFTWARE (fc1)WS-C2960G-24TC-L uptime is 32 minutesSystem returned to ROM by power-onSystem image file is "flash:c2960-lanbasek9-mz.122-46.SE.bin"cisco WS-C2960G-24TC-L (PowerPC405) processor (revision D0) with 61440K/4088K bytes of memory.Processor board ID FOC1209U0D2Last reset from power-on1 Virtual Ethernet interface24 Gigabit Ethernet interfacesThe password-recovery mechanism is enabled.64K bytes of flash-simulated non-volatile configuration memory.Base ethernet MAC Address : 00:1F:C9:24:13:00Motherboard assembly number : 73-10015-06Power supply part number : 341-0098-01Motherboard serial number : FOC12090HR4Power supply serial number : AZS120515AUModel revision number : D0Motherboard revision number : A0Model number : WS-C2960G-24TC-LSystem serial number : FOC1209U0D2Top Assembly Part Number : 800-26673-03Top Assembly Revision Number : B0Version ID : V03CLEI Code Number : 453091Hardware Board Revision Number : 0x01Switch Ports Model SW Version SW Image------ ----- ----- ---------- ----------* 1 24 WS-C2960G-24TC-L 12.2(46)SE C2960-LANBASEK9-MConfiguration register is 0xF
After the switch is loaded, we erase its configuration and use the initial config. Firstly, we choose Transparent as a VTP mode, though for large corporate networks this part of configuration may differ substantially.WS-C2960G-24TC-L#sho vtp staVTP Version : running VTP1 (VTP2 capable)Configuration Revision : 0Maximum VLANs supported locally : 255Number of existing VLANs : 7VTP Operating Mode : TransparentVTP Domain Name :VTP Pruning Mode : DisabledVTP V2 Mode : DisabledVTP Traps Generation : DisabledMD5 digest : 0x74 0xAD 0xAC 0x6F 0xD1 0x5C 0xBB 0x8BConfiguration last modified by 0.0.0.0 at 0-0-00 00:00:00
Then we create virtual LANs in the switch configuration and add its physical interfaces to these VLANs. We use Gi0/20 port for internet connections; whereas Gi0/19 faces the local network. The description of Cisco switch configuration is out of scope of this article.WS-C2960G-24TC-L#sho vla briVLAN Name Status Ports---- -------------------------------- --------- -------------------------------1 default active Gi0/2, Gi0/3, Gi0/4, Gi0/5Gi0/6, Gi0/7, Gi0/8, Gi0/9Gi0/10, Gi0/11, Gi0/12, Gi0/13Gi0/14, Gi0/15, Gi0/16, Gi0/17Gi0/18, Gi0/21, Gi0/22, Gi0/23Gi0/242 2Inet active Gi0/203 2Local active Gi0/191002 fddi-default act/unsup1003 token-ring-default act/unsup1004 fddinet-default act/unsup1005 trnet-defaultact/unsup
Gi0/1 port is connected to the routing server through the trunk. Results of configuration are listed below.interface GigabitEthernet0/1description 2TaggedCompRouterswitchport trunk allowed vlan 2,3switchport mode trunk!interface GigabitEthernet0/2!interface GigabitEthernet0/18!interface GigabitEthernet0/19description 2Localswitchport access vlan 3switchport mode access!interface GigabitEthernet0/20description 2Inetswitchport access vlan 2switchport mode access
Other L2 devices can be configured in the same way. An example of switch configuration for Linksys RVS4000 is shown below.
Let’s go back to our test bench (WS-C2960G-24TC-L) and check its bridge table to make sure that both devices on trunk endpoints properly identify dot1q-encupsulation received from each other. We see that the MAC address 001b.fce1.e2ff is visible in the both VLANs.WS-C2960G-24TC-L#sho mac add dyMac Address Table-------------------------------------------Vlan Mac Address Type Ports---- ----------- -------- -----2 001b.fce1.e2ff DYNAMIC Gi0/12 001c.10f4.c166 DYNAMIC Gi0/203 001b.fce1.e2ff DYNAMIC Gi0/13 0022.1516.3cbe DYNAMIC Gi0/19Total Mac Addresses for this criterion: 4WS-C2960G-24TC-L#
Now we make network settings for ASUS Eee PC 900 notebook (see the listing below) and connect it to Gi0/19 switch port by the patch-cord.Windows IP ConfigurationHost Name . . . . . . . . . . . . : foxPrimary Dns Suffix . . . . . . . :Node Type . . . . . . . . . . . . : UnknownIP Routing Enabled. . . . . . . . : NoWINS Proxy Enabled. . . . . . . . : NoEthernet adapter Local Area Connection:Connection-specific DNS Suffix . :Description . . . . . . . . . . . : Atheros L2 Fast Ethernet 10/100 Base-T ControllerPhysical Address. . . . . . . . . : 00-22-15-16-3C-BEDHCP Enabled. . . . . . . . . . . : NoIPv4 Address. . . . . . . . . . . : 192.168.0.2Subnet Mask . . . . . . . . . . . : 255.255.255.0Default Gateway . . . . . . . . . : 192.168.0.1DNS Servers . . . . . . . . . . . : 192.168.100.1
The only thing left is to check that the internet can be accessed from the server as well as from the test laptop through the routing server. Part of the network hops the data pass through is deliberately hidden; the reader shouldn’t be confused by this fact.Tracing route to www.ru [220.127.116.11]over a maximum of 30 hops:1 1 ms 1 ms 1 ms 192.168.1.12 * * * Request timed out.3 * * * Request timed out.4 * * * Request timed out.5 * * * Request timed out.6 19 ms 12 ms 12 ms 18.104.22.1687 10 ms 11 ms 13 ms 22.214.171.1248 22 ms 32 ms 15 ms 126.96.36.1999 10 ms 18 ms 19 ms 188.8.131.52Trace complete.
We see that the internet is accessed from the server. Now we trace the route to the same internet address from the notebook.Tracing route to www.ru [184.108.40.206]over a maximum of 30 hops:1 1 ms <1 мс <1 мс 192.168.0.12 1 ms 1 ms 1 ms 192.168.1.13 * * * Request timed out.4 * * * Request timed out.5 * * * Request timed out.6 * * * Request timed out.7 22 ms 17 ms 22 ms 220.127.116.118 10 ms 19 ms 20 ms 18.104.22.1689 19 ms 13 ms 16 ms 22.214.171.12410 18 ms 13 ms 13 ms 126.96.36.199Trace complete.
The route tracing shows the desirable result: the packets sent from the laptop to the internet reach the test server in the first hop. The diagram below shows how the traffic passes through the test bench. Such configuration enables to install on this soft router a billing solution, or network statistics software, or antiviral software, or any other software.
It is important to mention that in such model the trunk is going to be loaded with twice more traffic as each packet is transmitted from the switch to the routing server first and then sent back to the switch over the same physical link.
The model we demonstrate allows connecting the server via trunk. Due to this cheaper routers hardware and a fewer number of switch ports are needed for such server connection.