ESA X1070 - nic pair + vlan

Similar Messages

• HP 620 notebook PC, Ethernet NIC Driver, VLAN issue

  Dears;
  I have HP 620 notebook running on WIN-7 32 bit, I need to use VLAN on my Ethernet NIC the problem that I don't know what's my NIC exactly and if it does support VLAN on WIN7 or not
  I searched a lot on that topic and i found below:
  1- my laptop is currently running with driver name RLT8102E/RLTK8103E;
   Physical Address. . . . . . . . . : 64-31-50-80-6C-DA
  2- in the below web site the driver is for     another NIC named  Realtek RTL8191SE 
  http://h20566.www2.hp.com/portal/site/hpsc/public/psi/home/?sp4ts.oid=4158863
  3- below link I found another card type named RTL8153EH and it support VLAN and i didn't find any driver for it
  http://www8.hp.com/h20195/v2/GetPDF.aspx/c04290703.pdf?ver=7
  Please support which of these is my proper driver and HOW CAN I USE VLAN on my NIC on WIN7
  Regards

  Hi,
  There's nothing wrong with your machine - the business portal you're trying to access has been down for most of the weekend ( probably for maintenance ).
  I don't work for HP, so the only advice I can offer would be to try again later as I would expect it to be up and running sometime today.
  Regards,
  DP-K
  ****Click the White thumb to say thanks****
  ****Please mark Accept As Solution if it solves your problem****
  ****I don't work for HP****
  Microsoft MVP - Windows Experience

• Agent Binding to NIC with multiple Bonded NICs and VLANS

  Hi
  I am having an issue with agent communication where the agent installs on a server, but is then unable to communicate correctly with the primary servers. This error is typically reported through the Zenworks agent status in ZCC "Unable to connect to the agent service through the IP Address or DNS."
  It seems that when the agent installs it selects what it deems to be the primary NIC and then binds to this address. I have a large number of servers within my deployment domain and whilst in some instances it will be relatively straight forwadr to change the binding order in other instances this can be quite complex and will greatly increase the complexity and timeframe for our deployment project. Can anyone help with my questions below.
  1 Can anyone confirm that this is indeed the default behaviour ?
  2 Is there any way to specify the specific interface for the agent to bind to ?
  3 Does anyone have any practical examples of workarounds for this issue ?
  Many Thanks
  Gareth

  Find the Server in the ZCC, Select the Settings Tab and Modify the
  "Restricted IP Addresses" to tell devices to not use a specific address.
  On 4/26/2012 5:56 AM, garethb wrote:
  >
  > Hi
  >
  > I am having an issue with agent communication where the agent installs
  > on a server, but is then unable to communicate correctly with the
  > primary servers. This error is typically reported through the Zenworks
  > agent status in ZCC "Unable to connect to the agent service through the
  > IP Address or DNS."
  >
  > It seems that when the agent installs it selects what it deems to be
  > the primary NIC and then binds to this address. I have a large number of
  > servers within my deployment domain and whilst in some instances it will
  > be relatively straight forwadr to change the binding order in other
  > instances this can be quite complex and will greatly increase the
  > complexity and timeframe for our deployment project. Can anyone help
  > with my questions below.
  >
  > 1 Can anyone confirm that this is indeed the default behaviour ?
  >
  > 2 Is there any way to specify the specific interface for the agent to
  > bind to ?
  >
  > 3 Does anyone have any practical examples of workarounds for this issue
  > ?
  >
  > Many Thanks
  > Gareth
  >
  >
  Craig Wilson - MCNE, MCSE, CCNA
  Novell Knowledge Partner
  Novell does not officially monitor these forums.
  Suggestions/Opinions/Statements made by me are solely my own.
  These thoughts may not be shared by either Novell or any rational human.

• Multiple NIC (eth), VLAN, bridge & netctl profiles

  Hello,
    I need to configure the following network setup on my Archlinux Gateway :
  eth0 : LAN, static IPv4 and v6
  eth1 : WAN (internet) dhcp IPv4, static v6
  eth0.100: no address.
  eth1.100: no address
  brfbx : bridge on eth1.100 & eth0.100, no address.
  I managed to get that up and running using a netctl profile for each line above, but I can't find a way to make it work on boot : obviously the profiles need to be brought up in a specific order... any idea on how to do that ?

  do I even need to set up multiple profiles if I "just" have to bridge the Network?
  Last edited by 3000 (2013-05-15 11:27:49)

• IDS 4215 Inline VLAN Pair

  I am trying to configure IDS 4215 to do inline vlan pair with a Cisco 3750 Layer 3 switch.
  We have 4 vlans in the 3750, vlan 100 for workstations,vlan 200 for servers, vlan 250 for ip phones and vlan 150 for firewalls.
  All vlans have corresponding SVI with that ip been the default gateway for each vlan.
  interface Vlan1
  no ip address
  interface Vlan100
  description Workstation VLAN
  ip address 192.0.0.5 255.255.255.0 secondary
  ip address 192.0.0.254 255.255.255.0
  interface Vlan150
  description WatchGuard FW VLAN
  ip address 192.168.150.254 255.255.255.0
  interface Vlan200
  description Servers
  ip address 192.168.200.254 255.255.255.0
  interface Vlan250
  description VOICE
  ip address 192.168.250.254 255.255.255.0
  ip helper-address 192.168.200.30
  interface Vlan254
  description Management VLAN
  ip address 192.168.254.254 255.255.255.0
  My question is how do i monitor the traffic going to firewall vlan from server/workstation vlans ?
  I read a quite a bit of old topics here in this forum but could not find anything matching though there were few coming close.
  So my idea is to configure new vlan say 151 and move the firewalls to the new vlan.Then do inline vlan pair on old firewall vlan 150 and new fw vlan 151.
  Any idea its going to work ? or can i simply do 2 vlan inline pairs for fw-server and fw-workstation vlans ? Also i understand that i have to configure trunking on switch ports ?
  would appriciate any comments.

  I would recommend you proceed with your first suggestion of creating vlan 151, moving the firewall ports to vlan 151, and then placing the sensor inline between vlans 150 and 151.
  There are 2 options for placing the sensor between vlans 150 and 151: inline interface pairing, or inline vlan pairing.
  With inline interface pairing you would need the 4FE card in the IDS-4215. Create an inline interface pair using Fe2/0 and Fe2/1.
  Create an access port on vlan 150 of your switch and connect Fe2/0.
  Create an access port on vlan 151 of your switch and connect Fa2/1.
  Allow spanning-tree to run (generally between 30 and 40 seconds).
  With InLine Vlan Pairing you can do this with an IDS-4215 without needing the 4FE card.
  Create an inline vlan pair subinterface on Fe0/1 that will pair vlans 150 and 151.
  Creat an 802.1q trunk port on your switch that will trunk just vlans 150 and 151 (leave the native vlan of the trunk as vlan 1, but do not place vlan 1 in the list of allowed vlans on the trunk)
  Connect Fe0/1 to your trunk port.
  Now this will cause All traffic between your internal networks and the firewall to have to pass through the sensor. This includes your voice traffic that goes through the internet.
  The other option you mentioned of creating inline vlan pairs on your workstation vlan and your server vlans, I would not recommend with IPS 5.1.
  The inline vlan pairs would have to be created similar to the inline vlan pair I described above using vlans 150 and 151.
  You would have to create vlan 101 and pair 100 and 101.
  As well as create 201 and pair 200 and 201.
  If the workstations ONLY have connections out through the Firewall and NOT to the servers then it would be OK.
  BUT if the workstations also have connections to the servers then it will cause problems. The packets will have to pass through both the vlan 100 and 101 pair as well as the vlan 200 and 201 pair.
  When the sensor sees the same packet again after having been routed (by the switch in this case) it causes issues. The sensor sees that the packet has changed and believes that a hacker is modifying packets on the network.
  This is being addressed in IPS version 6.0 (still under development) so that vlan pair 100 and 101 can be monitored independant of vlan pair 200 and 201.
  So until IPS 6.0 is released I would suggest staying with the single vlan pair approach using vlan pair 150 and 151.

• Hybrid 6500 IDSM-2 inline vlan pair mode

  I am having a problem understanding how a packet is going to know that it needs to get evaluated by the IDSM if it is being sent to a host on a different vlan. First lets say that the server is on a vlan that is being pair and the server host is configured with the GW address of the paired vlan. So if a different host on a different vlan sent a packet to that server how does the MSFC know to sent the packet to the paried vlan to get routed to the servers vlan instead of routing it directly to the servers vlan that is attached to it(msfc). FYI. I followed the admin guides to set this up and it does not cover design or operation packet flows.

  Cisco CatOS on the Cisco Catalyst 6500 Series with optional Cisco IOS Software on the Multilayer Switching Feature Card (MSFC) provides Layer 2/3/4 functionality for the Cisco Catalyst 6500 by integrating two operating systems. A switch running CatOS only on the Supervisor Engine is a Layer 2 forwarding device with Layer 2/3/4 functionality for QoS, security, multicast, and network management of the Policy Feature Card (PFC), but does not have any routing capabilities. Layer 3 routing functionality is provided via a Cisco IOS Software image on the MSFC routing engine (optional in Supervisor 1A and 2, and integrated within Supervisor 32 and 720.) In this paper, the combination of CatOS on the Supervisor Engine and Cisco IOS Software on the MSFC is referred to as the "hybrid" OS; two operating systems work together to provide complete Layer 2/3/4 system functionality.

• 4250-sx connecting to 6500 for vlan pair mode

  I am not sure if this question should be asked on the ids forum or the switching forum. Please let me know if it is the wrong place to be asking.
  Could someone perhaps help? It the first time we are configuring this setup so we need some help in configuring the SX interface on a 6500 switch.
  We would like to connect our 4250-SX ips sensor (5.1) for inline vlan pair mode to a 6500 catalyst running ios software. The switch has a fiber SC type connection. We would like to find a document that best describes how the interface on the switch should be configured for successful operation for this solution. Can someone point us to this document? We have been told that the port will need to be configured as an 802.1q trunk. Is this correct?
  We would also like to filter all unneeded vlans from propagating on to that trunk. What is the best way to do this?
  Thanks in advance

  Whether the port is fiber or copper won't really matter much.
  The first step is determine between which 2 vlans you will want to do inline vlan pair monitoring.
  The most direct solution is to pick one existing vlan, and create one brand new vlan.
  Now trunk both of these vlans on the switch port where the sensor is connected:
  Here is a basic example configuration for that switch port:
  interface GigabitEthernet1/1
  switchport
  switchport access vlan 1
  switchport trunk native vlan 1
  switchport trunk allowed vlan 100-101
  switchport mode trunk
  no ip address
  no shutdown
  exit
  Vlan 100 was the existing vlan, and vlan 101 was the newly created vlan.
  The vlan 1 settings were just to ensure the port was set back to the default of vlan 1 for the access vlan; the vlan 1 setting is not used in the vlan pairing and is not in the list of allowed vlans for the trunk port.
  NOTE: You will see that the mode must be forced to trunk. Also be aware that depending on the port you may also have to force the trunk type to 802.1q:
  "switchport trunk encapsulation dot1q"
  Now on the sensor itself you will want to create an inline vlan pair on that SX interface, and pair vlan 100 with vlan 101.
  Now remember that vlan 101 was a new vlan and is empty. So right the now the sensor is doing inline monitoring between that empty vlan and the rest of your network. The trick now is to move Some of the ports from the original vlan into that new vlan.
  If this is your first time setting this up, then I suggest you try this with a very simple network with 3 pcs that all talk to each other on the same subnet. All 3 pcs would be in the same vlan to begin with. After the steps above are done to create the new vlan and create the inline vlan pair on the sensor, the next step is to move pcs into the other vlan. So for one PC change it's switch port configuration to move just that one PC from the original vlan (100) to the new vlan (101).
  Wait a minute for spanning-tree to run.
  Now ensure that the PCs from the orginal vlan can communicate to the PC in that new vlan.
  NOTE: Both vlans are for the same IP subnet. The sensor does not IP route between the subnets, it just switches or brides packets between the 2 subnets. So the IPs on the PCs do not change as they get moved to the other vlan.
  If you run some tests you will see that the sensor will see all traffic between the PC in the new vlan talking to either of the PCs in the original vlan. But you will also find that if the 2 PCs in the original vlan talk to each other, the sensor is unlikely to see that traffic (on occasion it will, but the sensor is just receiving a copy during broadcast and multicast situations).
  Typical deployments will have something like a firewall in the original vlan, and the Internal network machines moved to the new vlan. Or if the switch itself is routing, then the switch will have it's ip address on the original vlan, and all of the other machines will be moved to the new vlan.
  You also have the option of creating additional inline vlan pairs. To do this just create a new vlan for every original vlan where you want to add inline vlan pair monitoring.
  Then just add those vlans to the trunk allowed vlan command and create the pair in the sensor configuration.
  So let's say you also wanted to pair vlans 104 and 105 together. Then the command would look like:
  switchport trunk allowed vlan 100-101,104-105
  Your question about how do you keep the unneeded vlans from propogating is answered by that same command above. The "allowed vlan" list will restrict the trunk to only carrying those vlans listed.

• Bind external device into Hyper-V by bridging adapters and using VLAN?

  Hi,
  i tried several hours and researched the web but no solution.
  I am running a Windows Server 2012 with Hyper-V virtualizing several networks. Each network is in its own vlan (Network 1 = Vlan 100 , Network 2 = Vlan 200,  Network 3 = Vlan 300 etc.). They are all connected to an external network vSwitch TESTNET.
  This vSwitch TESTNET is connected to one NIC on the host. I can send/receive VLAN tagged packets to this NIC from outside and it works. I can reach the corresponding networks.
  NOW I have an external device which I have to physically connect to that server on a new NIC. It has to be placed into Network 1 means be reached directly from there.
  The first idea I got is to bridge this network connection with my vSwitch Testnet. Due to the fact that the virtualized Network 1 is in a vlan I also tag the new NIC with Vlan 100. Several attemps later I still can't get it working.
  1.) Is it possible to bridge a vSwitch with a physical NIC? Will the tagged vlan packets from the physical NIC be sent to the corresponding VMs with the same vlan configuration over the vSwitch Testnet?
  2.) Or Do I need to create another vSwitch for the second NIC for my external device? And afterwards bridge these two vSwitches together?
  3.) Or is the only way to add this network device to a virtual router in a virtual machine?
  Hope somebody can help me.
  Regards DrWho

  I'm not understanding why this device has to directly connect to the physical host. If it's required that it be in network 1, why can't you plug it into a physical switch in a port with a default/PVID VLAN of 1? If you directly connect it to a regular physical
  port on a computer, it won't be in a network at all, at least not as defined anywhere else in your configuration, unless that port has somehow been bound and configured as a router. The end result of all that trouble would not really different from just plugging
  it into the physical switch to begin with.
  No, you can't bind the virtual switch and another physical port together in the way that you describe.
  You can't have a device that only communicates with a particular partner AND participates on a common network beyond those two devices unless that partner is a router.
  Eric Siron Altaro Hyper-V Blog
  I am an independent blog contributor, not an Altaro employee. I am solely responsible for the content of my posts.
  "Every relationship you have is in worse shape than you think."

• VLAN Configuration

  I just wanted to ask a question about how other organizations have their VLAN setup. With my organization, we have each of our different VLANS. If we want to lets say a server be able to access all the VLANs, then we have to trunk the port the server is connected to and enable VLAN support on the NIC. In other words we have VLAN 1,2 set on the port, and then we create VLANS with our NIC software for VLAN 1,2. So the NIC has VLAN 1,2 with an ip address for each VLAN. Correct me if Im wrong, but you have to have an ip address for each VLAN your server or computer is connected to? In other words, I couldn't just enable trunking on the port and then set up the server NIC with an ip address that is a VLAN1 IP address?

  My question is more of what other companies use in their VLAN setup. Every single person I talk to said that our setup is unique. When they open up out network connections for one of our servers, and see 8 differenent virtual connections (VLANs), they dont understand why we do this. Thats why Im asking? If this is unique, how do other companies set up their vlans on their servers. If they want their server to be able to talk to every vlan, then how do other companies implement this. Like I said, we trunk it on the port and then set up VLANS using the nic software for each of the vlans we added to the trunk. So, each server has a virtual connection (ip address,SM, DG for that network (VLAN)). This doesnt seem to be the norm from other network prof. Ive talked to. So...do other companies just attach their server to one vlan (no trunking on the switch port and no nic multiple VLAN setup on the sever) and then enable inter-vlan routing. This then enables servers to talk to any vlan that is enabled through inter-vlan routing?

• SG200-26: dynamic VLAN - 802.1X

  Last week I got my SG200-26 (SLM2024T-EU). The Data Sheet says, that the switch works with dynamic VLAN assignment over 802.1X.
  IEEE 802.1X
  (Authenticator role)
  802.1X: RADIUS authentication and accounting, MD5 hash
  Supports time-based 802.1X
  Dynamic VLAN assignment
  The authentication on freeRADIUS works. I client could get access to the network after entering username and password but the client is not assigned to a VLAN. I used wireshark to sniff the authorisation process between the switch and the freeRADIUS server and the VLAN information were transmitted to the switch.
  I would appreciate if some could give me some help how to configure the switch to work with dynamic VLAN assignment and freeRADIUS. If you need some more information, please let me know. I will add them here as far as possible.
  Thank you very much!
  Alexander
  Edit

  Hello Nico,
  Thank you for your reply.
  I will show you my scenario a little more in detail and explain, what I have configured:
  I have got one server/router with a VLAN capable NIC connected to Port g1 on the switch. On the router I created 2 VLANs with VLAN-ID 5 and VLAN-ID 6.
  Both VLAN "NICs" have a static IP address and there is running a DHCP server for each VLAN. On the same server there is runninga freeRADIUS server.
  Now I did the following configuration on the switch:
  1. I assigned a static IP on the switch.
  2. SECURITY -> RADIUS:
  I added the RADIUS Server IP address and the key string (same on switch and freeRADIUS) and I ticked Usage-Type: 802.1X
  3. SECURITY -> 802.1X -> Properties
  Port-Based Authentication: Enabled is ticked
  RADIUS
  4. SECURITY -> 802.1X -> Port Authentication
  Administrative Port Control: Auto is ticked
  5. VLAN-Management --> Create VLAN
  VLAN-ID 5
  Descr. VLAN5
  VLAN-ID 6
  Descr. VLAN6
  I think, to this point the configuration is correct, isn't it ?
  I would appreciate very much, if you could give me advice for the further steps like Port Mode Access, Trunk or General for the clients which connect to the switch and if tagged or untagged.
  I have port g1 in trunk mode and VLAN5 and VLAN6 is tagged because my NIC is VLAN capable. But the other clients which connect to the switch do not have a VLAN capable NIC and these clients should get their VLAN assigned dynamically.
  I attached the pcap file which contains the authentication between freeRADIUS and the SG200-26 (Port g1)
  Thank you very much in advance!
  Alexander

• IPMP and VLANs

  I would like to have two NICs in IPMP configuration and public connections tagged with VLANs.
  I know the naming convention when one VLAN tag assigned to the physical NIC but I do not quite understand how to add multiple VLAN tags to one NIC and VLAN tags to pseudo interfaces.
  Here is the configuration I have:
  /etc/hostname.e1000g8
  netmask + broadcast + group ipmpgroup4 deprecated -failover up addif sunsolaris10-6 netmask + broadcast + failover up
  /etc/hostname.e1000g9
  netmask + broadcast + group ipmpgroup4 deprecated -failover up addif sunsolaris10-7 netmask + broadcast + failover up
  netmask + broadcast + group ipmpgroup4 deprecated -failover up addif sunsolaris10-12 netmask + broadcast + failover up
  netmask + broadcast + group ipmpgroup4 deprecated -failover up addif sunsolaris10-13 netmask + broadcast + failover up
  netmask + broadcast + group ipmpgroup4 deprecated -failover up addif sunsolaris10-14 netmask + broadcast + failover up
  ... and here how it looks like once configured:
  e1000g8: flags=9040843<UP,BROADCAST,RUNNING,MULTICAST,DEPRECATED,IPv4,NOFAILOVER> mtu 1500 index 13
  inet 0.0.0.0 netmask ff000000 broadcast 0.255.255.255
  groupname ipmpgroup4
  ether 0:50:56:23:29:c8
  e1000g8:1: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 13
  inet 10.10.1.116 netmask ff000000 broadcast 10.255.255.255
  e1000g9: flags=9040843<UP,BROADCAST,RUNNING,MULTICAST,DEPRECATED,IPv4,NOFAILOVER> mtu 1500 index 14
  inet 0.0.0.0 netmask ff000000 broadcast 0.255.255.255
  groupname ipmpgroup4
  ether 0:50:56:24:f:2e
  e1000g9:1: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 14
  inet 10.10.1.117 netmask ff000000 broadcast 10.255.255.255
  e1000g9:2: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 14
  inet 10.10.1.118 netmask ff000000 broadcast 10.255.255.255
  e1000g9:3: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 14
  inet 10.10.1.119 netmask ff000000 broadcast 10.255.255.255
  e1000g9:4: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 14
  inet 10.10.1.120 netmask ff000000 broadcast 10.255.255.255
  Regards
  Leonid

  Does anybody familiar with setting up multiple VLANs tags on network interfaces in Solaris 10?
  Regards
  Leonid

• Routing of Network Traffic Between VLANs on a Hyper-V Virtual Switch

  I am trying to discover how network traffic generated by reads and writes to RDVH User Profile Disks is routed through my network.  I have a pool of Hyper-V
  desktop vm’s in their own VLAN (vlan1) with their own NIC bound to a Hyper-V Virtual Switch. On the same server I have another management NIC for the OS on a different VLAN (vlan2) and finally on another server I have a virtual machine which hosts the User
  Profile Disks. The VM that hosts the User Profile Disks is on the same VLAN as the management NIC for the OS (vlan2).
  When tracing the flow of network traffic to and from the User Profile Disk VM it all comes through the vlan2 NIC on the server where the virtual
  desktop VMs reside and nothing comes through the vlan1 NIC on this server.  I would have expected the traffic to the virtual desktop VMs to come in  through the desktop VMs VLAN NIC (vlan1).
  This leads me to two possibilities as to how the desktop vm’s on vlan1 get their  data to and from the User Pofile Disk vm on vlan2 without routing.
  The desktop vm’s Hyper-V Virtual Switch automatically routes the User Profile Disk traffic from vlan1 to vlan2 internally using a virtual switch learning algorithm
  Hyper-V itself handles all reads and writes to the User Profile Disks and since that is using the management NIC for the OS it is already on vlan2 and so the network traffic never leaves vlan2.
  Any comments on the reason for traffic taking the path it does (as outlined above) as opposed to being layer-3 routed from VLAN1 to VLAN2?

  Thanks for your reply Brian. I think your last paragraph above is what I have set up:
  If you simply forward one VLAN to one physical NIC and the VMS on the corresponding External Virtual Switch simply end up on that VLAN without Hyper-V doing anything at all - but this dedicats one physical NIC per VLAN.
  The Virtual Machines NIC that the vSwitch is patched to and the NIC for the OS are on different VLANS (both NICs are plugged into un-tagged ports on my switch).
  The vNICs on the VM's are not tagged to a VLAN (The VLAN ID\ 'Enable virtual LAN identification' box is unticked)
  My vSwitch is set up as connected to 'External Network' and isnt shared with the management network.
  What I am trying to get at is how would network traffic on the VLAN my vm's are on get to the VLAN that the NIC for the OS is on without going through the router (even though a routable path is available)  ?
  Is it possible the 'learning algorithm' referneced in a Technet article below is involved here (sorry I cant post links)?
  For the virtual machine to communicate with the management operating system, there are two options. One option is to route the network packet through the physical network adapter and out to the physical network, which then returns the packet back to
  the server running Hyper-V using the second physical network adapter. Another option is to route the network packet through the virtual network, which is more efficient. The option selected is determined by the virtual network. The virtual network includes
  a learning algorithm, which determines the most efficient port to direct traffic to and will send the network packet to that port. Until that determination is made by the virtual network, network packets are sent out to all virtual ports.
  Thanks,
  Andrew

• VLAN Tags and Hyper-V Switches

  Does the Hyper-V 2012 Virtual Switch support forwarding VLAN-tagged packets to a guest OS with the VLAN tags intact?  In other words, can I have a single virtual NIC handle multiple VLANs by doing the VLAN filtering inside the guest OS?
  I would like to run a guest OS that sits on multiple VLANs, and while I could create and delete virtual NICs which are assigned to a single VLAN, it would be much more flexible in my environment to have Hyper-V simply forward frames with the VLAN (802.1q)
  tags intact so that the guest OS can see the tags and deal with them appropriately.  (looking at running a virtual router that sits across multiple VLANs).
  I can't see any obvious way to do this.  I thought that leaving the VLAN tag for the guest off would cause packets to be forwarded unfiltered, but that appears to not be the case.  Does anyone know how to enable forwarding tagged frames through
  a virtual switch/NIC to a guest OS?
  Thanks!

  Hi,
  >  Does it depend on any particular settings on the physical NIC?
  No special settings on the physical NIC, but not every NIC support VLAN tagging. You should generally not set the VLAN ID at the physical NIC, it should be set on either the Virtual Switch or the individual Virtual Machine’s configuration. The VLAN ID on
  the Virtual Switch is what the Host or Parent Partition uses. The VLAN ID setting on the individual Virtual Machine’s settings is what each VM will use.
  For more information please refer to following MS articles:
  Understanding Hyper-V VLANs
  http://blogs.msdn.com/b/adamfazio/archive/2008/11/14/understanding-hyper-v-vlans.aspx
  VLAN Tricks with NICs - Teaming & Hyper-V in Windows Server 2012
  http://blogs.technet.com/b/keithmayer/archive/2012/11/20/vlan-tricks-with-nic-teaming-in-windows-server-2012.aspx#.UWznBmawrX0
  Set-VMNetworkAdapterVlan
  http://technet.microsoft.com/en-us/library/hh848475(v=wps.620).aspx
  Hope this helps!
  TechNet Subscriber Support
  If you are
  TechNet Subscription user and have any feedback on our support quality, please send your feedback
  here.
  Lawrence
  TechNet Community Support

• Layer 3 network and netboot/multicasting - will/can it work across subnets?

  Hi, have been running netboot across a few subnets using multiple nics and vlans that worked fine.
  We're to move to layer 3 so the vlans are going.
  So my problem is getting it to run across the subnets. Is there something we need to do to the network to allow me to it see the netboot images and can I run things as before, or as I suspect do I need to move to multicasting?
  Apologies if my question is a bit vague. Not 100% sure what the network change will do to the netboot system and how to adapt to it. thanks, Patrick

  Hi
  http://www.edugeek.net/forums/mac/33515-why-imaging-macs-so-annoying.html#post31 4474
  This link explains more:
  http://routergod.com/trinity/
  The documentation that came with your Switch should give you appropriate instructions.
  Tony

• Intrusion Detection system in non-global zone

  I have a zone configured with exclusive-ip. The zone will be used for an intrusion detection system and the software needs low-level access to the network interface. (thus using exclusive-ip) The problem I'm having is that I need to use another interface for local login and management of the zone. I do not/can not use another interface exclusively for this purpose. The best scenario would be a combination of exclusive-ip and shared-ip, but that's not possible. Vlans would be another option, but the version of Solaris I'm using does not have crossbow.
  I'm currently using Solaris 10 138888-08
  Any suggestions?

  Hi Kevin
  As you mentioned yourself I would use VLAN tagging. You do not need to have crossbow to be able to use VLANs.
  I am assuming that it will be possible for the switch port you are connected to to be configured for tagged VLANs?
  E.g.
  Let say your servers physical NIC is e1000g0. Get the switch configured so that your port is a vlan trunk with 2 tagged VLANs, e.g. VLANs 100 and 200.
  You can then use e1000g100000 (for vlan 100) and e1000g200000 (for vlan 200) in your exclusive IP zone config. One will carry the traffic for your IDS and the other can be used as your login/management network.
  Solaris will handle all the tagging/untagging for you automatically when you plumb in the interfaces e1000g100000 and e1000g200000. The formula for calculating the number part of the name of the NIC is:
  (vlan ID * 1000 + NIC_id)
  e.g. if your physical NIC is bge3 and you had a vlan id of 150 then the interface to plumb in would be called bge150003
  I believe the Solaris IP services manual should explain this.
  hope this helps
  Martin