通过

802.1Q and ISA Server

  • 项目

Many folks have asked the question: "Does ISA Server support VLANs?".  The quick and dirty answer to this question is "nope - don't gotta."  The longer, more useful answer is "ISA isn't aware of 802.1Q."

The core of the answer to this question lies in the fact that ISA Server is a layer-3 (IP) firewall, and that for IPv4 only (we'll discuss that in another blog).  802.1Q VLANs are a layer-2 network management mechanism.  Thus, ISA is blissfully unaware of this protocol. 

The good news is that if your NIC manufacturer has designed the NIC and provided drivers to support 802.1Q, Windows can use 802.1Q to build more logical interfaces, and thus ISA can actually see and use many more interfaces than you have PCI slots in the machine.  I personally have produced 11 separate interfaces in my lab ISA to separate the various test scenarios.  This machine only had two physical NICs, though.  802.1Q is kewl fer shur!

Various restrictions prevent me from recommending specific NIC manufacturers, but there is one thing that remains true; you won't get this capability from the $5 adapter you find at your local CompAmWe stores.  You'll have to buy a server class NIC and you'll have to make sure the NIC manufacturer provides drivers capable of *properly* supporting 802.1Q.

You'll greatly improve your chances of succeeding here if you start with devices listed in the Windows Catalog (formerly the Hardware Compatability Lab): http://www.windowsservercatalog.com/.  Make sure you have the latest drivers; check the manufacturer's website as soon as you get the adapter.

Jim Harrison (ISA SE)

Comments

  • Anonymous
    January 01, 2003
    Thanx for the pingback, Tom... Use http://isatools.org/stuff/isasefw.scrn.png if you want to see a screenshot of my lab ISA with 11 (count 'em) interfaces, of which only two are physical...

  • Anonymous
    January 01, 2003
    No; ISA has no support for VLANs and therefore has no support statement regarding the combination for NLB + 802.1Q VLANS.  This is strictly the NLB team's support area. The answer from them is "NLB does not support Q-tagged frames on the same interface where NLB is operating."

  • Anonymous
    January 01, 2003
    PingBack from http://blogs.isaserver.org/shinder/2006/10/04/does-the-isa-firewall-support-vlan-tagging/

  • Anonymous
    January 01, 2003
    Hace un par de semanas conocí ( vía MSN) a Elias , por un post que hice y desaparecí al mismo tiempo

  • Anonymous
    January 01, 2003
    Hace un par de semanas conocí ( vía MSN) a Elias , por un post que hice y desaparecí al mismo tiempo

  • Anonymous
    October 10, 2006
    Stupid question. How did you get 11 interfaces with only 2 NICs?

  • Anonymous
    November 27, 2006
    Does Isa support NLB and Vlan Tagging on the same NIC?

  • Anonymous
    March 16, 2007
    I get 11 NICs because the NICs we bought include support for 802.1Q-tagged frames and the software the NIC manufacturer provides creates a logical interface for each VLAN in which the physical NIC participates. Obviously, I can't get into manufacturer specifics, but the question to ask is: "does this NIC manyufacturer provide software that allows the driver to create logical NICs from 802.1q VLAN associations?" If they're confused by this question, the answer is likely to be "no".

  • Anonymous
    March 16, 2007
    "Does Isa support NLB and Vlan Tagging on the same NIC?" As I stated in the original blog, ISA has (and needs) no support for VLANs. This is strictly the purview of the NIC drivers and software.

  • Anonymous
    April 23, 2007
    Hi, Maybe Inaki asked the wrong question: Will VLAN tagging and NLB work on the same interface? My understanding is that due to NLB limitations/design, these 2 features cannot be configured on the same NIC. Or am I mistaking?

  • Anonymous
    August 15, 2007
    Please just tell us which lan card you are using in your example. Why would I spend the next 2 weeks researching which lan card will do this, when you could just tell me?

  • Anonymous
    August 10, 2010
    Update: as of today Windows Server 2008 and R2 NLB functionality fully supports Q-tagging on NLB interfaces when using multicast mode. Unicast mode requires the virtual interfaces of the adapter to support programatic MAC override. Also be aware of support.microsoft.com/.../en-us

  • Anonymous
    November 25, 2010
    I’m in a Multi vLAN environment where I have deployed ISA Server 2006 Enterprise Edition with two arrays. Currently we have two proxy infrastructure one for our students and the second one for our staff each proxy is going via different ISP. I want to merge both the students who are sets on different vLAN “Wireless LAN” and staff vLAN to go through single proxy infrastructure which is the 2006 EE. In the current situation, by adding static route of staff 192.168.12.0 and students 10.10.0.0 to the ISA Server, both the networks can go through this proxy. But, both the LANs goes via single External Interface and single ISP. Is it possible to hook physical LAN connections of both vLAN 192.168.12.0 and 10.10.0.0 to the ISA Server and create Internal LAN for each of the range and NAT each LAN to different External Interface? So, 192.168.12.0 is NAT-ed via External-1-ISP1 and 10.10.0.0 is NAT-ed via External-2-ISP2? And by utilizing  IP Binder I can determined the rule based on AD/user group Authentication to select which external interface it goes? Thanks,