Windows计算机从标记VLAN获取SLAAC IPv6

发布时间：2020-12-13 22:50:05 所属栏目：Windows 来源：网络整理

导读：我在网络上有 Windows计算机,意外地从标记VLAN获取IPv6地址. 我有路由器/计算机连接到带有未标记的vlan(id 1)和标记(id 2)的交换机.为简单起见,假设此VLAN2适用于VoIP手机,它将看到使用带标记的vlan作为DHCP请求的一部分的选项. 出于某种原因,此网络上的Wind

我在网络上有 Windows计算机,意外地从标记VLAN获取IPv6地址.

我有路由器/计算机连接到带有未标记的vlan(id 1)和标记(id 2)的交换机.为简单起见,假设此VLAN2适用于VoIP手机,它将看到使用带标记的vlan作为DHCP请求的一部分的选项.

出于某种原因,此网络上的Windows计算机正在从2001：db8：1051：4001 :: / 64和2001：db8：1051：4002 :: / 64子网中获取SLAAC地址.我希望Windows计算机只从未标记的VLAN /子网中获取地址.

一台具有2001年地址的Windows计算机：db8：1051：4002 :: / 64将无法实际使用此地址.它无法ping网关2001：db8：1051：4002 :: 1并且来自网关的ping不起作用.据我所知,它实际上无法以任何方式使用此地址.

使用过滤器icmp6和ip6 [40] == 134从Windows系统捕获的wireshark将显示两个子网的路由通告.

从同一台计算机上启动到Linux livecd的tcpdump捕获将显示2001：db8：1051：4002 :: / 64在以太网帧中具有正确vlan id的广告. Linux不从两个子网获取地址.

Windows计算机是完全干净的新安装的Windows 10 1709,我已经看到了具有Realtek和Broadcom适配器的系统上的行为.

组态

+--------------+    +-----------+    +------------------+
 | Linux Router +----+ HP Switch +----+ Windows Computer |
 +--------------+    +-----------+    +------------------+

Linux路由器接口配置

3: eth_lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 0c:c4:7a:14:c7:fd brd ff:ff:ff:ff:ff:ff
    inet 10.2.25.1/24 brd 10.2.25.255 scope global eth_lan
       valid_lft forever preferred_lft forever
    inet6 2001:db8:1051:4001::1/64 scope global
       valid_lft forever preferred_lft forever
    inet6 fe80::ec4:7aff:fe14:c7fd/64 scope link
       valid_lft forever preferred_lft forever
5: eth_lan.2@eth_lan: <BROADCAST,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether 0c:c4:7a:14:c7:fd brd ff:ff:ff:ff:ff:ff
    inet 10.2.26.1/24 brd 10.2.26.255 scope global eth_lan.2
       valid_lft forever preferred_lft forever
    inet6 2001:db8:1051:4002::1/64 scope global
       valid_lft forever preferred_lft forever
    inet6 fe80::ec4:7aff:fe14:c7fd/64 scope link
       valid_lft forever preferred_lft forever

Linux RADVD配置

interface eth_lan
{
    AdvSendAdvert on;
    AdvManagedFlag on;
    AdvOtherConfigFlag on;
    MaxRtrAdvInterval 90;
    MinRtrAdvInterval 30;
    prefix ::/64
    {
    };
};
interface eth_lan.2
{
    AdvSendAdvert on;
    MaxRtrAdvInterval 90;
    MinRtrAdvInterval 30;
    prefix ::/64
    {
    };
    AdvDefaultPreference low;
};

切换配置

HP-2530-24G-PoEP# show running-config

Running configuration:

; J9773A Configuration Editor; Created on release #YA.15.14.0007
; Ver #05:18.63.ff.37.27:91
hostname "HP-2530-24G-PoEP"
snmp-server community "public" unrestricted
vlan 1
   name "DEFAULT_VLAN"
   untagged 1-28
   ip address dhcp-bootp
   exit
vlan 2
   name "VLAN2"
   tagged 1-28
   no ip address
   exit

问题：

为什么Windows系统从标记VLAN获取非功能性IPv6地址？有没有办法在不禁用VLAN 2上的IPv6或在Windows系统连接的端口上没有标记VLAN的情况下停止此操作？

来自评论的问题的答案

Are the Windows machines able to communicate on the network if you assign them static IPv6 address

如果从VLAN 1子网获得静态地址,连接到端口的计算机(未标记的vlan1,标记的vlan2)将完全正常工作,但不会在我期望发生的VLAN2子网上工作.

Have you tried disabling SLAAC on the router and only using DHCPv6?

如果我禁用SLAAC AdvAutonomous;并启用有状态的DHCPv6服务器计算机将只从未标记的VLAN获取地址.

What happens if you disable RA’s on eth_lan.2?

然后,客户端将不会从该VLAN 2子网获取地址.虽然,我希望IPv6在该子网上工作,因此非常需要RA.

我会确保NIC的驱动程序与他们的minidriver完全安装,以正确启用操作系统中的VLAN支持.

本机Windows NDIS不支持正确的VLAN,它只是在最坏的情况下剥离VLANid.

引自Wireshark;

Windows has no built-in support mechanisms for VLANs. There aren’t
separate physical and VLAN interfaces you can capture from,unless a
specialized driver that adds such support is present.

So whether you see VLAN tags in Wireshark or not will depend on the
network adapter you have and on what it and its driver do with VLAN
tags.

Most “simple” network adapters (e.g. widely used Realtek RTL 8139) and
their drivers will simply pass VLAN tags to the upper layer to handle
these. In that case,Wireshark will see VLAN tags and can handle and
show them.

Some more sophisticated adapters will handle VLAN tags in the adapter
and/or the driver. This includes some Intel adapters and,as far as i
know,Broadcom gigabit chipsets (NetXtreme / 57XX based chips).
Moreover,it is likely that cards that have specialized drivers will
follow this path as well,to prevent interference from the “real”
driver.

更新1 =======

找到MS博客参考there; Windows核心网络谈论802.1P,但他们提供了有关802.1Q(VLAN标记)的更多信息

The Windows networking stack fully supports the 802.1Q tag,i.e. both
UserPriority (as Mathias discusses in this post) as well as VlanId.
However,no stack component (tcpip,etc.) ever acts on the VlanId
field. Vendors,such as Intel,Broadcom,etc.,implement VLANs in
their miniport drivers in combination with NIC hardware. Thus,Windows
enables ISVs to implement VLAN if they wish,but does not natively
implement them.

– Gabe

从其他MS blog(这可以解释为什么你的Windows计算机无法ping通IPv6网关(并且很容易通过wireshark进行验证,因为outgooing数据包(PC-> Gateway)将被取消,即使它应该被标记))

Your NIC is responsible for adding the 802.1q tag to the outgoing
packet.

考虑到这个更新,我的术语“剥离vlan id”起初有点沉重,因为默认情况下它不会剥离它,它将vlan id作为输入,但忽略它,它只是不发送之后的vlan id,并将所有管理留给NIC的驱动程序.

（编辑：李大同）

【声明】本站内容均来自网络，其相关言论仅代表作者个人观点，不代表本站立场。若无意侵犯到您的权利，请及时与联系站长删除相关内容!