VLANs on Lenovo E520 Windows 7 Professional

April 23, 2012 at 08:40:30
Specs: Window 7 Professional, Intel 64 bit 4GB
"You don't assign vlan id's to the laptop's network device, you assign them to the router it's connected to."

Actually, you can. When configured for a VLAN, a computer plugged into a switch trunk port will be on the specified VLAN. Otherwise, it will be on the default LAN. I have a ThinkPad E520, which I can easily put on a VLAN in Linux, but for some reason I can't in Windows 7 Professional. In the advanced properties for the NIC, there is supposed to be a VLAN ID setting, but it does not appear on my computer, which also uses a Realtek NIC.

BTW, when used in an environment where VLANs are used, it is imperative that some devices can be assigned to a VLAN. This is how Voice over IP phones are often set up. The devices then plug into a trunk port and the traffic sent to the VLAN or not as required. The alternative is to configure the switch port to a specific VLAN. However, with that configuration, a VoIP phone and computer would not be able to share a switch port, as is commonly done.

So, the question remains, how does one enable VLANs in Windows 7, at least on a Realtek NIC? As I mentioned, Linux has no problems with enabling a VLAN on this hardware. I have called Lenovo support on this and they refused to even discuss it.



See More: VLANs on Lenovo E520 Windows 7 Professional

Report •


#1
Report •

#2
April 23, 2012 at 10:26:31
It might, but that appears to be for a different chip. I have a "Realtek PCIe Family Controller", not the RTL81xx series. I'll have to verify if that's the correct package.

tnx jk


Report •

#3
April 23, 2012 at 10:59:12
I had to boot into Linux to verify that's the right package, but even after installing it, I still have no VLAN ID setting nor does that Realtek Vlan Protocol Driver appear, though I do have something called "Realtek DASH Protocol Driver", whatever that is.
.

Report •

Related Solutions

#4
April 23, 2012 at 13:10:26
Actually, you can. When configured for a VLAN, a computer plugged into a switch trunk port will be on the specified VLAN. Otherwise, it will be on the default LAN.

I think perhaps you misunderstand the nomenclature. You don't plug a computer into a "trunk" port. Trunk ports are used to link network appliances. For example, you would plug one switch into another using a trunk port. Or, you could plug a switch into a router using a trunk port. Typically, trunk ports carry all VLAN's over the management VLAN, whereas an access port only carries the one (or more) VLAN's assigned to it.

The nomenclature can change somewhat from one manufacturer to another (very much a PITA when that happens) but a trunk is a trunk. On the Avaya switches were using (Avaya bought out Nortel's Networking) a computer plugs into a port set to "access".

BTW, when used in an environment where VLANs are used, it is imperative that some devices can be assigned to a VLAN. This is how Voice over IP phones are often set up. The devices then plug into a trunk port and the traffic sent to the VLAN or not as required.

Again, trunk port is the wrong port. I have a VoIP phone sitting on my desk. Some time back I configured the setup to allow a PC to be plugged into the VoIP phone's PC socket. I left port set to "access" with VLAN 72 (VoIP) set as the PVID (primary VLAN ID) and added VLAN 7 (Net 4) to it and plugged my PC into my phone and it worked. However, these Nortel VoIP phones are a couple years old and I can get only 100 Mbps on that port so I swapped back to my 1000 Mbps connection after confirming it work.

However, with that configuration, a VoIP phone and computer would not be able to share a switch port, as is commonly done.

As per what I said immediately above this quote. It works, if your equipment is capable. Perhaps the problem is your switch. It may be somewhat limited in it's capabilities. Are you even able to assign more than one VLAN to a port?

So, the question remains, how does one enable VLANs in Windows 7, at least on a Realtek NIC?

This really shouldn't be necessary. We control all VLAN's through all our edge switches in the closets and our core switches as well as the firewalls and routers. I'm not even sure if you can assign a VLAN to a Windows 7 interface....as I said, we do it at the port level on switches.

It matters not how straight the gate,
How charged with punishments the scroll,
I am the master of my fate;
I am the captain of my soul.

***William Henley***


Report •

#5
April 23, 2012 at 14:52:14
^^^^
Switch ports can be configured as "edge" or "trunk" (names may change with different makes). An edge port is assigned to a specific VLAN and devices connected to that port can only connect to that VLAN. A trunk port, while often used to connect switches can also connect directly to devices such as computers and VoIP phones. If there is is VLAN tag, as is often the case with computers, that device is connected to the default (sometimes called VLAN 0) LAN. If VLAN tagging is used the device is connected to the specified VLAN. As I mentioned, this is often used on LANs where VoIP phones are used. The phone is configured to use a VLAN and the computer is not. The computer is often plugged into the phone, which is then connected to the switch. You then have both VLAN (phone) and non VLAN (computer) traffic on the same switch port. This requires the use of a trunk port that can use VLAN tags to direct traffic in the appropriate manner. In the same way, if VLAN is enabled on a computer, by plugging into a trunk port, that computer can be connected to the specified VLAN. Another example is in a business that provides WiFi to customers as well as employees. The access points will have 2 (or more) SSIDs, with the guest SSID connecting via VLAN to the router for Internet access. The employee SSID connects to the default LAN for accessing the business network.

BTW, in my work, I have set up networks with VLANs to support both VoIP and guest WiFi on the same physical network with both isolated from the office computer traffic.

As for my equipment, the E520 works fine on VLANs when I boot into Linux. It's just in Windows that it won't. The network has no problem with VLANs with either WiFi or other computers. Again, the problem is entirely with Windows 7 or the NIC drivers on this computer. Windows 7 is supposed to have a VLAN ID setting for configuring VLANs. It is that setting that's missing on my computer. There's another message further up that mentions installing a different driver, but that didn't help either.


Report •

#6
April 24, 2012 at 07:37:40
There is no VLAN 0 on any L2 or L3 device I've ever worked with. The default (management) VLAN is always VLAN 1.

I did misspeak in my first response above. I double checked this morning and I do have the port with the VoIP phone plugged into it setup as a trunk port. My apologies for the misinformation.

It isn't necessary for a client to have it's interface assigned to a VLAN. A client becomes a member of a VLAN by plugging it into a switch port that has been assigned a VLAN.

You want all clients within the same VLAN to be on the same subnet so they can communicate with each other. Conversely you can also divide a single subnet into separate segments by putting them in different VLAN's.

For fun, configure a switch with multiple VLAN's. Assuming you have a 48 port switch, divide it into blocks of 12 and assign 1-12 to VLAN two, 13-24 to VLAN three and so on. Now take two laptops, put them on the same subnet (ie: 192.168.0.1 and .2) and plug them into ports in the same VLAN and have them ping each other continuously. They should resond properly. Now move one to a different VLAN, they stop communicating. Now move the second one to the same VLAN as the first one you moved and they start pinging again.

Again, you don't need, nor do you want, to set a VLAN on a client's network interface.

It happens frequenlty here at work that I need to move a client to another subnet. To do so, I change their IP and default gateway addresses then I connect to the management interface of the switch they're physically plugged in to and I change the VLAN assignment of the port they plug into and voila, they're on the other subnet. If I'm at the clients computer, I change the port assignment first, then the IP and DG and they're good to go.

It matters not how straight the gate,
How charged with punishments the scroll,
I am the master of my fate;
I am the captain of my soul.

***William Henley***


Report •

#7
April 24, 2012 at 08:36:45
Let me describe a project I worked on a few years ago. It was in a senior's residence, consisting of 3 towers where the residents lived, and another building for offices. The buildings were connected via fibre and the project had 5 24 port PoE switches, located in the 3 towers and office. On this network, there was the office LAN traffic, office VoIP phones and WiFi access points. There were also ADSL shelves, used to provide Internet access to the residents over their phone lines. The default LAN was used for office LAN traffic, one VLAN for VoIP, one for resident Internet traffic and another for management. There was also a router and cable modem. The ADSL shelves didn't support VLANs, so they had to be connected to switch ports configured for the resident's VLAN. The access points had 2 SSIDs, one for residents & guests, on the resident's VLAN, and the other for office staff use. All switch ports were wired as trunk ports, except for the ones used to connect the ADSL shelves and also some at the local IT tech's desk, where I configured one port for each of the VLANs, which he'd have access to for testing.

So, yes, I have had some fun with VLANs. My interest in enabling a VLAN on my computer is so that I can plug my computer into a trunk port and be on the selected VLAN. Otherwise, I have to configure a switch port for that VLAN, so that my computer can access it. Putting a computer on a VLAN is very easy to do in Linux, but not in Windows on this computer. I agree it's not common to put computers on a VLAN, but sometimes it's necessary.


Report •

#8
April 24, 2012 at 12:27:19
Perhaps I'm misunderstaing you...

My interest in enabling a VLAN on my computer is so that I can plug my computer into a trunk port and be on the selected VLAN

What do you mean by "selected VLAN"?

I'm assuming you meant the VLAN assigned to the port you're plugged in to.

I have to configure a switch port for that VLAN, so that my computer can access it.

Unless you're leaving a port assigned to the default VLAN on a switch, you have to change the port assignment so no matter what, you're configuring a switch port.

Putting a computer on a VLAN is very easy to do in Linux, but not in Windows on this computer

Yep, and I'd wager it's not possible to assign a VLAN to a network interface on a windows box....at least not with a desktop operating system like XP or 7. It may be possible on a server OS. To be honest, since starting this position 7 years ago and pretty much specializing in enterprise level networking, I haven't touched a Windows based server. The few servers I do run for monitoring are running BSD.

I'd wager the reason you can't assign a VLAN tag to a Windows desktop OS is because this is not normally done by anybody for a single VLAN connection and therefore MS in all it's infinite wisdom (yes, that's sarcasm....lol) didn't add that feature to a desktop OS.

I agree it's not common to put computers on a VLAN, but sometimes it's necessary.

Well, I won't deny a couple of our servers are connected via trunk ports to our switches, but those are very limited and special circumstances. They are running VMWare. With multiple server instances on each physical box we're running the VM switch inside the physical servers. We have a quad interface NIC in one slot and each server has two built in NIC's as well. All 6 are connected in a LAG (Link Aggregation Group) which is similar to, but not exactly the same thing as a trunk port. But from the switch side, the ports involved in the LAG's are configured as "trunk".

You still haven't stated why you feel it necessary to assign a VLAN tag to the network interface of your windows 7 box. I'm curious why it is you feel it's necessary to do so? What benefit/gain do you get by doing so.

For that matter, I don't understand the necessity of doing the same in linux either. Much simpler to leave the clients interface alone and just plug it in to a port with the appropriate VLAN assigned to it.

It matters not how straight the gate,
How charged with punishments the scroll,
I am the master of my fate;
I am the captain of my soul.

***William Henley***


Report •

#9
April 24, 2012 at 14:39:29
"What do you mean by "selected VLAN"?

I'm assuming you meant the VLAN assigned to the port you're plugged in to."

No. I mean that if I plug into a trunk port, as the majority of ports were on that seniors's residence project, I can configure my computer to be on any VLAN I choose or even all of them, if I so decide. As I mentioned, that site has both computers and VoIP phones (ignoring the residents VLAN). A port appears at a jack in the user's office. It doesn't matter which device, phone or computer is plugged in, it will be on the a appropriate network. This requires a trunk port. It cannot be done if a port is configured for a specific VLAN. If the ports were configured for specific VLAN, then they'd require individual jacks for computer and phone and the computer could not be plugged into the phone, as is often done with VoIP systems.

"You still haven't stated why you feel it necessary to assign a VLAN tag to the network interface of your windows 7 box. I'm curious why it is you feel it's necessary to do so? What benefit/gain do you get by doing so."

As I mentioned in the previous note, it's for testing purposes. With VLANs, I can configure my computer to appear on any of the VLANs or even multiple VLANs, if needed. Otherwise, I'd have to configure a port to access a specific VLAN and it would be capable of connecting to only one at a time.

Recently, I set up this Linux computer for multiple VLANs, so I could do some experimenting. Here's my LAN info:

eth0 Link encap:Ethernet HWaddr 00:15:F2:9C:A7:AC
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:3528953 errors:0 dropped:4 overruns:0 frame:0
TX packets:3598590 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:1767390128 (1685.5 Mb) TX bytes:524878450 (500.5 Mb)
Interrupt:23 Base address:0x4000

lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:746703 errors:0 dropped:0 overruns:0 frame:0
TX packets:746703 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:141994133 (135.4 Mb) TX bytes:141994133 (135.4 Mb)

vlan0 Link encap:Ethernet HWaddr 00:15:F2:9C:A7:AC
inet addr:192.168.0.1 Bcast:192.168.0.255 Mask:255.255.255.0
inet6 addr: fe80::215:f2ff:fe9c:a7ac/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:67705 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 b) TX bytes:16232319 (15.4 Mb)

vlan5 Link encap:Ethernet HWaddr 00:15:F2:9C:A7:AC
inet addr:192.168.5.10 Bcast:192.168.5.255 Mask:255.255.255.0
inet6 addr: fe80::215:f2ff:fe9c:a7ac/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:13228 errors:0 dropped:0 overruns:0 frame:0
TX packets:80763 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:1119623 (1.0 Mb) TX bytes:17551237 (16.7 Mb)

This computer has it's regular LAN interface eth0, along with VLAN0ยน & VLAN5. If I were to plug this computer into a trunk port that supports multiple VLANs, I could easily connect to all of them by setting up the appropriate VLAN configuration on this computer.

1) I am aware that VLAN0 is not normally used, as it means there is in fact no VLAN tag used. VLAN0 is used on some equipment to denote the default LAN, that is no VLAN.

Another reason for VLANs on a computer might be a server that's supposed to be available on more than one VLAN or LAN. If plugged into a trunk port, with VLANs enabled, it could then be on all the configured VLANs.


Report •

#10
April 25, 2012 at 08:10:40
No. I mean that if I plug into a trunk port, as the majority of ports were on that seniors's residence project, I can configure my computer to be on any VLAN I choose or even all of them, if I so decide. As I mentioned, that site has both computers and VoIP phones (ignoring the residents VLAN). A port appears at a jack in the user's office. It doesn't matter which device, phone or computer is plugged in, it will be on the a appropriate network

You do realize that one of the major purposes of VLAN's is security within your network. Your method totally negates that security and pretty much leaves your entire network wide open to someone with nefarious purpose.

Otherwise, I'd have to configure a port to access a specific VLAN and it would be capable of connecting to only one at a time.

I can understand why you might want to do this as an administrator but I still wouldn't myself. I'm not worried about the two minutes it takes to change a port assignment, and then change my IP to match the subnet. Unless you're using a single subnet in your network, you're still having to change IP wihen you change VLAN assignment on your NIC. So no matter what you do, you still have to change some settings somwhere and it's not hard or time consuming to do it my way.

1) I am aware that VLAN0 is not normally used, as it means there is in fact no VLAN tag used. VLAN0 is used on some equipment to denote the default LAN, that is no VLAN.

Granted I only have direct experience with Cisco, 3COM, Baystack, Nortel and now Avaya L2/L3 switches but on none of the aforementioned have I ever seen VLAN 0

The default in all the above was VLAN 1. On all the L2/3 switches I've worked with have VLAN 1 applied to all ports once they've been reset to factory defaults because it (VLAN 1) is the default VLAN

Another reason for VLANs on a computer might be a server that's supposed to be available on more than one VLAN or LAN. If plugged into a trunk port, with VLANs enabled, it could then be on all the configured VLANs.

We do have a couple servers here configured with trunk ports but those are special cases. They are VMWare servers that run multiple VM servers inside and utilize the Virtual switch that's made by VMWare to break traffic out on the physical server and send it to the appropriate Virtual server. These boxes have a quad interface card as well as dual onboard NIC's and we use all 6 of those interfaces combined in what's called a "LAG" (Link Aggregation Group)

Other than the VMware servers, none of the over 100 servers in our environment are connected to a trunk port. All are connected to whatever VLAN (subnet) they belong in) We have about 10 different "server" VLAN's (subnets) at this point in time.

James, what I'm about to say is not meant to be rude or insulting so please don't take it that way, but I have to say it.

I don't think you've ever had any real training on VLAN's. Or if you did, whomever trained you didn't know what they were doing.

As I said above, putting clients on trunk ports negates a large part of the reason for using VLAN's.......which is to say security. You might as well just leave all your switches set to factory defaults (VLAN 1) and put all your equipment in the same subnet for all the security you presently have in your network.

You would do well to get some better training on the use of VLAN tagging and apply a better methodology at work or some day your present method is going to really bite you in the butt....especially if you're using DHCP for client connections.

It matters not how straight the gate,
How charged with punishments the scroll,
I am the master of my fate;
I am the captain of my soul.

***William Henley***


Report •

#11
April 25, 2012 at 13:14:23
"I don't think you've ever had any real training on VLAN's. Or if you did, whomever trained you didn't know what they were doing.

As I said above, putting clients on trunk ports negates a large part of the reason for using VLAN's.......which is to say security."

Try setting up a VoIP phone system, where the user's computer is plugged into the the phone and the phone in turn connected to the switch, without using trunk ports. That method is used by the VoIP system suppliers I've worked with, including Cisco, Polycom and TalkSwitch. How would you do it?

BTW, I'm currently working on a large VoIP project for a major insurance company. They use Cisco gear and that's how the network is set up. I am not the one that designed it that way. That senior's residence I mentioned was also designed by someone else. I just implemented it following their directions, including VLAN assignments. They worked for a major phone company. So why is it these companies think trunk ports are the way to go and you don't? I doubt most computer users even know about VLANs, let alone how to configure a computer for them, assuming they even have the admin rights to do it.


Report •

#12
April 25, 2012 at 14:33:41
As I said above, my coworker and I both setup our own VoIP phones to also feed data to a computer as a test case. But unlike you, we used only the VoIP VLAN and the one data VLAN.

In our buildings we have 2 sets each of 2 data, one VoIP connection (per outlet) in each office so we don't have to plug computers into VoIP phones. Even if we did, I'd never be dumb enough to make it a trunk with the management VLAN as the PVID with all VLAN's attached, that's just dangerous.

You weren't talking about just trunk ports for VoIP connections either. You specifically said you were using trunk ports for client computer connections so you could easily set them to whatever VLAN you wanted. I stated specifically that's not good practice because it's insecure.

Most hackers know a whole heck of a lot more than an "average" user and could seriously cause you problems within your setup if they ever sat down at a computer connected to your network. Someone with my level of knowledge could quickly, and easily, break it beyond your ability to repair it.

But you do what you want. I mean, why bother getting some actually training and know what you're doing when you can continue someone elses mistakes and pretend you know what you're doing.

Thank's for the conversation, it's been.....entertaining.

It matters not how straight the gate,
How charged with punishments the scroll,
I am the master of my fate;
I am the captain of my soul.

***William Henley***


Report •

#13
April 25, 2012 at 19:11:58
1) As I said, I didn't design these networks. I merely configured them as directed.
2) Who said the VoIP or computers were on the management VLAN? In the senior's residence example, there were separate VLANs for VoIP, resident's Internet and management. The office computers were not on a VLAN and the residents would not have access to any other VLAN, as the ADSL shelf used to provide their Internet access didn't even support VLANs.
3) The phones and computers plugged into the same ports on the switch, as the computers were plugged into the phone. Again, this is not my decision.
4) If you're running in a whole new network, it's easy to have separate voice and data connections. In existing installations, it's often not possible. I can't think of a single VoIP installation that I've done that wasn't retrofitted into an existing network. Also, the customer might not want separate connections for phone and computer. That's certainly the case on my current project for the insurance company.
5) VoIP installations often have computers plugged into the phone. It's common practice in the industry. I've never seen a VoIP phone that didn't support that.
6) I have also installed VoIP systems on unmanaged switches that didn't support VLANs. Again, what I do is determined by what the customer wants. In my work, often the "customer" is a major telephone company that in turn sells the system to the end users. So, in those cases, it's the phone company engineers who apparently need VLAN training. On my current project it's Cisco that needs it, as they're the ones who designed this system. Perhaps you should give them a call.

Report •

#14
April 26, 2012 at 07:26:13
Back to your original post, and I'm quoting you directly:

When configured for a VLAN, a computer plugged into a switch trunk port will be on the specified VLAN. Otherwise, it will be on the default LAN. I have a ThinkPad E520, which I can easily put on a VLAN in Linux,

This is you talking about plugging a laptop (not a VoIP phone) into a trunk port. Or are you merely support a network that already does this and the network was built by a telephone company? Just FYI, it's doubtful an "engineer" from a phone company would have any real training in VLAN tagging. They'd know just enough to hook up a VoIP phone. If they're configuring the network(s) you're talking about supporting above then it's conclusive proof they have no training or knowledge in working with VLAN's.

Simply put, allowing a client to have the ability to switch between all available VLAN's, including the mangement VLAN, by changing VLAN's on their computers NIC is just plain stupid as well as unsafe from a network security point of view. Your average linux user knows more than your average windows user. You average hacker, a whole lot more than both. Someone like me, with training and experience in networking could (as I said before) down your network and break it so badly you wouldn't be able to fix it and you'd have to call a specialist like me in to fix it for you.

Now I don't really care what you do, it won't affect me. I've been trying to help you but you by pointing out plugging a computer into a trunk port is unsafe but you keep carping on VoIP phones when that discussion should have ended when I corrected myself after checking and said "Yes, you plug a VoIP phone into a port set to trunk"

Just FYI, the correct way to do a VoIP phone with data is to have only the two VLAN's (VoIP & Data) configured as "allowed VLAN's" on said port(s) with the VoIP VLAN set to be the PVID since it's the device plugged directly into the port. This removes any chances of access to any other VLAN's.

I've specifically asked about your training and qualifications several times now and you've not answered directly which is an answer in and of itself.

For what it would cost you, you shuould really get some actual training in VLAN tagging. It might save your job in the future should you ever rise above following step-by-step installation guides and plugging in equipment configured by someone else and acutally learn how to configure networking equipment for yourself.

It matters not how straight the gate,
How charged with punishments the scroll,
I am the master of my fate;
I am the captain of my soul.

***William Henley***


Report •

#15
May 1, 2012 at 08:21:26
I came here looking for clues on how to tag the VLAN on my ThinkPad X220 running Windows 7, and I was optimistic since JamesK asked the exact same question.

Normally I wouldn't comment on a page with a lack of useful information, but I think it's necessary to point out that Curt R has missed the point entirely. Any network admin with any amount of experience using VLANs would see the advantage of tagging laptop traffic with a VLAN, whether for diagnostic or administration purposes. The misinformation being spread here is doing nothing to help the IT community.

JamesK, I hope you and I can both find this answer soon. At this point it's looking easier to switch my native OS to Linux, and to run Windows in a VM (local or VDI) for admin purposes.


Report •

#16
May 1, 2012 at 08:27:15
Unfortunately, I'm not having much luck with this. Lenovo support won't help, as it's a "configuration" issue, even though the setting is apparently missing. I've also checked the Microsoft Knowledge Base, without result.

Report •

#17
May 1, 2012 at 09:59:37
Any network admin with any amount of experience using VLANs would see the advantage of tagging laptop traffic with a VLAN, whether for diagnostic or administration purposes.

I fail to see any advantage and apparently I'm not alone as all the admins I know who work with VLAN's do not plug desktop computers into trunk ports.

In my workplace we use statically assigned IP addresses on all computers and network appliances. On my department laptop I have a little batchfile I use to change subnets that utilizes the netsh command. If I'm at a location and need to test something I plug into an active port and give my laptop an IP within that subnet (VLAN). If you're using DHCP within your environment, you just plug in and get TCP/IP settings.

If I'm at my desk, I can access all VLAN's and their associated subnets from my desktop PC and don't need to hop subnets to do it. The only exception is our mangagement VLAN. Therefore I have another NIC on my desktop plugged into a port on the management VLAN and if I need to access that VLAN, I disable my main (client VLAN) NIC and enable the one on the management VLAN. When I'm finished, I reverse that. So since I can easily access any VLAN from my desktop, again, where is this "advantage" to plugging into a trunk port?

I'm not sure who you are thinkmassive and obviously I have no clue as to your training, experience, or knowledge level. I will say this. I suspect you have no more than JamesK You will note he's never replied even once to my queries about his training which is answer enough.


The misinformation being spread here is doing nothing to help the IT community.

Luckily for the IT community, I've not been spreading any misinformation in this thread. I've made mistakes in the past when I didn't fully understand a question or misread it and answered incorrectly. When it was pointed out to me, I admitted my mistake openly and apologized. I would do so in this case if it were true.

But here's the thing. Two people with no training in VLAN's and little to no experience both espousing the same insecure methodology does not make me wrong. If you consider basic network security "a lack of useful information" then I feel sorry for whomever hires you.

With regard to Windows 7 and being able to set a VLAN tag to it. I suspect considering all the work JamesK has done trying to achieve this with no positive results make it likely this isn't something Microsoft included in Windows 7.

I know you can't do it in Windows XP, 2000 Workstation, or any other desktop version of windows. It may be possible with server versions of Windows as a server is the only type of computer I can ever imagine connecting to a trunk port.

It matters not how straight the gate,
How charged with punishments the scroll,
I am the master of my fate;
I am the captain of my soul.

***William Henley***


Report •

#18
May 1, 2012 at 12:43:24
I judge the quality of an answer by its technical merit, and not by the supposed training of the author. Instead of being argumentative from the start, you could have made a constructively suggested a workaround.

In my workplace we use statically assigned IP addresses on all computers and network appliances. On my department laptop I have a little batchfile I use to change subnets that utilizes the netsh command. If I'm at a location and need to test something I plug into an active port and give my laptop an IP within that subnet (VLAN). If you're using DHCP within your environment, you just plug in and get TCP/IP settings.

How do you hop VLANs from a single access port? It sounds like your network may use 802.1x authentication with VLAN assignment, which isn't necessarily available in every scenario.

What netsh commands are you executing?

If I'm at my desk, I can access all VLAN's and their associated subnets from my desktop PC and don't need to hop subnets to do it. The only exception is our mangagement VLAN.... So since I can easily access any VLAN from my desktop, again, where is this "advantage" to plugging into a trunk port?

Is this accomplished by routing? What if you need to investigate possible scenarios by emulating a device from a laptop? There are plenty of valid reasons to use VLAN-tagging on a computer's network interface. It's accomplished trivially in Linux, and we're just wondering how to do so in Windows.


Report •

#19
May 2, 2012 at 15:28:37
How do you hop VLANs from a single access port? It sounds like your network may use 802.1x authentication with VLAN assignment, which isn't necessarily available in every scenario.

VLAN 1 hosts all network appliances including our dual redundant core switches, firewalls and routers and all are available from the VLAN (subnet) I'm on because we've made it that way with firewall rules and routing.. Just FYI, this subnet is of course restricted to my department for obvious reasons.

All client and server VLAN's can access each other for the same reason. Outword facing VLAN's (Subnets) and the DMZ are firewalled off from the rest of the internla network for obvious reasons. But within the internal network, alll clients subnets can access all server subnets and other clients.


What netsh commands are you executing?

***Begin Batchfile***
::== chgIP.bat
@echo off
echo new IP ?
set /p IP=
echo new GW ?
set /p GW=

netsh int ip set add "Local Area Connection" static %IP% 255.255.255.0 %GW% 1

***End Batchfile***

Is this accomplished by routing? What if you need to investigate possible scenarios by emulating a device from a laptop?

As I said above, via firewall rules and routing. We don't allow just any employee to access the mangement VLAN.

As for investigating possible scenarios, I have the option of going to any location and plugging a laptop in to any VLAN. We reserve the .4 IP in all subnets for my department to use for troubleshooting purposes so I simply connect the laptop to a port in whichever VLAN, change the the .4 IP in that subnet and begin testing.

Also, my shared office has a rack and multiple switches in it and a router or two and I have a BSD box sitting in my office too. All of which I can, and do, lab with. This equipment is all disconnected from our main network with the exception of my BSD box and my desktop. I also have a switch in my office plugged into the main network I can utilize if need be for troubleshooting as well.

It's accomplished trivially in Linux, and we're just wondering how to do so in Windows.

LOL - typical isn't it. Everything is a little easier in the UNIX/Linux world and as I've said previously, I suspect MS never gave a moments thought to being able to change the actual VLAN assignment on a desktop/laptop's NIC.

Yes, I could have been more constructive I suppose. I didn't mean to be, or try to be rude or condescending. In fact, I thought I was being constructive by pointing out the obvious security hole in having all clients plugged into trunk ports.

It matters not how straight the gate,
How charged with punishments the scroll,
I am the master of my fate;
I am the captain of my soul.

***William Henley***


Report •

#20
May 10, 2012 at 08:44:25
Thanks, Curt R! Hopefully your generosity will help others who find this thread in the future.

Report •

#21
May 10, 2012 at 10:47:28
I hope so too!

It's been a good discussion and the batchfile is VERY handy.

I have a slightly different version on my PC because it has 3 network interfaces on it. I'll post that one too:

***Begin Batchfile***

::== chgIP.bat
@echo off
echo NIC to change IP on?
set /p NIC=
echo new IP ?
set /p IP=
echo new GW ?
set /p GW=

netsh int ip set add %NIC% static %IP% 255.255.255.0 %GW% 1
::== end

***End Batchfile***

It's worth noting that on my desktop PC I changed the interfaces names from "Local Area Connection" to "LAN" So I have LAN1, LAN2, and LAN3.

I'm lazy and typing the default NIC name was just too much typing for me....lol

It matters not how straight the gate,
How charged with punishments the scroll,
I am the master of my fate;
I am the captain of my soul.

***William Henley***


Report •


Ask Question