ARP Proxy & VLAN

Print version

11. ARP Proxy & VLAN

11.1. Introduction

ARP proxy can be used when RTU’s IP addresses behind different RipEX units are for any reason within the same IP subnet, typically they do not have routing capabilities.

VLAN feature is typically used when you need to split the network into several logical parts. E.g. to distinguish between management and payload (user data) traffic or among different applications traffic (e.g. various RTU technologies).

Both features can be combined to provide the necessary functionality.

See the following chapters for a detailed description.

11.2. Transparent LAN (ARP Proxy)

Even though RipEX works as a standard IP router, RipEX can interconnect equal IP subnets behind different RipEX units without defining default gateways. It can be done with the ARP proxy feature.

[Note]Note

See the RipEX manual, Chapter 2.3 Router mode for configuration examples without ARP proxy usage.

RipEX can reply to any ARP request to mimic it has this particular IP address (RipEX can reply to more ARP requests). This feature is typically used when RTU’s IP addresses behind different RipEX units are within the same IP subnet and the RTUs do not provide routing capabilities.

Basic ARP proxy usage

Fig. 11.1: Basic ARP proxy usage

In this diagram RTUs do not have routing capabilities (i.e. RTU expects its counterpart is within the same physical Ethernet LAN). If the RTU Master starts to communicate with RTU Slave, it requests the RTU Slave’s MAC address. The RTU Slave is a member of the same physical LAN so the RTU Slave does not reply. However, when RipEX (radio IP 10.10.10.2) has ARP proxy enabled, it replies to this ARP request.

So with the ARP proxy functionality, local RipEX can mimic any IP address and reply to ARP requests. In our case, the RTU Master would consider the RipEX MAC address as the Slave MAC address. And with the appropriate routing rules in RipEX units, we can achieve the needed interconnectivity. We do not need to set anything on the connected RTUs – no gateway, no routing rules.

[Important]Important

Be very careful when using this feature, ARP proxy can disable all the traffic on the LAN!

[Note]Note
  • You can combine the ARP proxy feature with a TCP proxy and Terminal Servers. See the respective help in the RipEX web interface for details.

  • RipEX does not transmit broadcast packets via the radio link with the ARP proxy feature.

11.3. Transparent VLAN

The VLAN tag (802.1Q protocol) is a 4B field in the Ethernet frame. It is inserted between the MAC address and EtherType/Length fields of the original frame.

The VLAN packet is defined by two main parameters:

VLAN tag

– VLAN Identifier (VID) is also called “VLAN number”. It is 12 bits long so we can have up to 4096 VLANs (0x0000 and 0xFFF values are reserved).

Priority Code Point (PCP)

– a 3bit field which refers to the IEEE 802.1p priority. It indicates the frame priority level. Possible values are from 0 (best effort) to 7 (highest priority); 1 represents the lowest priority. These values can be used to prioritize different traffic classes (voice, data, …).

See the following example:

VLAN diagram

Fig. 11.2: VLAN diagram

As you can see in Fig. 11.2, “VLAN diagram”, we have individual VLANs for Management and two distinct technologies, each with its own IP subnet.

[Note]Note

You can combine the VLAN feature with a TCP proxy and Terminal Servers. See the respective help in the RipEX web interface for details.

11.4. Configuration Examples

In this chapter, we will go through several examples in order to explain ARP proxy and VLAN features in practice. All examples will have the same hardware configuration and we will alter the software settings only (ARP proxy, VLAN tagging, routing, …). Regular PCs will be used instead of RTUs.

Please follow the examples one by one to fully understand the configuration differences and benefits of various solutions.

11.4.1. No ARP Proxy and No VLAN

We will begin with a basic configuration example without using ARP proxy or VLANs. See the following diagram:

Basic configuration diagram

Fig. 11.3: Basic configuration diagram

This example does not reflect the common configuration, because the computers share the same IP subnet, but behind different RipEX units in the Router mode. Usually the RipEX units would connect different IP subnets. This can easily be done with ARP proxy, but in this example, we can configure it with special routing rules.

[Note]Note

Do not connect the PCs via X5 converter, but use the Ethernet interface. You can use the X5 converter just for configuration steps, not the connectivity tests.

RipEX Configuration

To access the first RipEX unit, go to the Settings and name it RipEX A. Set the following IP addresses:

  • Radio IP address: 10.10.10.2, mask 255.255.255.0

  • Ethernet IP address: 192.168.2.251, mask 255.255.255.0

On the second unit, set the name to RipEX B and configure it with the appropriate IP addresses:

  • Radio IP address: 10.10.10.4, mask 255.255.255.0

  • Ethernet IP address: 192.168.2.252, mask 255.255.255.0

See the RipEX A settings on the following screen-shot.

RipEX A settings

Fig. 11.4: RipEX A settings

Do not forget to set the same TX/RX frequencies, Channel spacing, Modulation rate and other parameters on both RipEX units. Do not enable ARP proxy or VLAN.

The next step is to set Routing (see the Routing menu). Configure RipEX A with these routing rules:

  • Destination: 192.168.2.252/32, Mask: 255.255.255.255, Gateway 10.10.10.4

  • Destination: 192.168.2.2/32, Mask: 255.255.255.255, Gateway 10.10.10.4

RipEX B will have very similar routes:

  • Destination: 192.168.2.251/32, Mask: 255.255.255.255, Gateway 10.10.10.2

  • Destination: 192.168.2.1/32, Mask: 255.255.255.255, Gateway 10.10.10.2

Do not forget to activate both routes. You can also add a note to each route. See the RipEX A Routing example:

RipEX A Routing

Fig. 11.5: RipEX A Routing

Computer Configuration

When we have successfully configured both RipEX units, we can proceed with computers settings.

  • PC #1: IP address: 192.168.2.1, Mask: 255.255.255.0, Default Gateway: 192.168.2.251

  • PC #2: IP address: 192.168.2.2, Mask: 255.255.255.0, Default Gateway: 192.168.2.252

[Note]Note

If you do not know how to configure these computers, see the RipEX manual, http://www.racom.eu/eng/products/m/ripex/bench-test.html#connect-PC.

In the common configuration with two different IP subnets behind our RipEX units, we would not need any further action to get the end-point connectivity. In this example, we must add two routes on both computers.

To add routing rules in Windows, you need to execute Windows Command Processor (cmd). Click on the Start button and then type Command Prompt or cmd in the Start Search field. Select the Command Prompt icon.

After the Command Prompt window appears, type the following commands on PC #1:

  • route add 192.168.2.252 mask 255.255.255.255 192.168.2.251

  • route add 192.168.2.2 mask 255.255.255.255 192.168.2.251

You also need to add similar routing rules on PC #2:

  • route add 192.168.2.251 mask 255.255.255.255 192.168.2.252

  • route add 192.168.2.1 mask 255.255.255.255 192.168.2.252

[Note]Note

You need Admin privileges to add a route in Windows 7.

Command Prompt

Fig. 11.6: Command Prompt

Test the Connectivity

Check the connectivity by executing a ping command, which is also executed from the Command prompt. Type “ping 192.168.2.1” or “ping 192.168.2.251” if you are executing the ping from the PC #1 and check the results. You can also try the other direction, just switch IP addresses. See the following example:

Ping results (Basic configuration)

Fig. 11.7: Ping results (Basic configuration)

[Note]Note

If the ping is not successful, try to turn the Windows firewall off. It can block the ping packets.

11.4.2. ARP Proxy

If we would not have computers as the end-stations, but only simple RTUs, it may happen that routes and default gateways cannot be configured. In this case, we need to reach the connectivity via the ARP proxy feature. See the diagram:

ARP proxy configuration diagram

Fig. 11.8: ARP proxy configuration diagram

RipEX Configuration

On both RipEX units we have almost everything already configured. Just go to the Settings menu and click on the VLAN & Subnets button.

Turn the feature on, and check the ARP proxy option on both units. Confirm and apply the changes.

Enabling the ARP proxy

Fig. 11.9: Enabling the ARP proxy

You do not need to change the routing rules. Just remember that the ARP proxy feature works for all destination IP addresses in the RipEX routing table. RipEX will not mimic ARP proxy replies to any other IP address.

Add routing rules to enable ARP proxy on other IP addresses (e.g. if wanting to use the ARP proxy for IP addresses 192.168.2.8-15, add the IP subnet 192.168.2.8/29 into the routing rules).

Computer Configuration

Both computers have the same IP addresses as in the basic configuration example. Just remove the default gateway.

  • PC #1:

    IP address: 192.168.2.1, Mask: 255.255.255.0

  • PC #2:

    IP address: 192.168.2.2, Mask: 255.255.255.0

You need to delete the routing rules we added previously, just go the the Command prompt again and type in the following commands:

  • PC #1:

    • route delete 192.168.2.252 mask 255.255.255.255 192.168.2.251

    • route delete 192.168.2.2 mask 255.255.255.255 192.168.2.251

  • PC #2:

    • route delete 192.168.2.251 mask 255.255.255.255 192.168.2.252

    • route delete 192.168.2.1 mask 255.255.255.255 192.168.2.252

Test the Connectivity

The test is exactly the same as described in Chapter the section called “Test the Connectivity”.

The most important thing to remember with the ARP proxy example is that we did not need to configure any default gateway or routing rules on the computers (RTUs). Thanks to this, we can even add “simple” RTUs to our network and we can have the same IP subnets behind different RipEX units.

[Tip]Tip

Give careful thought to the network design, because a good design can dramatically reduce the number of necessary routing rules in the RipEX routing table.

Example 11.1. Routing rules

You have four end stations with IP addresses 192.168.2.1, .2.2, .2.5 and 2.6 and you need two of them behind RipEX A and two of them behind RipEX B. With 192.168.2.1 and .2.2 behind RipEX A, you will need to add only one rule in the RipEX B: 192.168.2.4/30 via RipEX A. Otherwise you will need to add two rules (e.g. with .2.1 and .2.5 IP addresses).

11.4.3. VLAN

We will explain two similar examples to show the VLAN functionality.

VLAN on “One End”

In this example, we will have a VLAN ID 2 used between RipEX A and PC #1. RipEX management traffic on the same Ethernet port would be untagged.

Traffic on the radio channel is always untagged.

Traffic between RipEX B and PC #2 will be also untagged.

See the following diagram:

VLAN configuration diagram

Fig. 11.10: VLAN configuration diagram

RipEX Configuration

The configuration on RipEX A will be a little more complicated. There will be two subnets, one for VLAN and one for other traffic. Go to the Settings menu and change the Ethernet IP address to 192.168.3.251. Then click on the VLAN & Subnets button and add a new VLAN – we will use VLAN ID 2 with an IP address 192.168.2.251.

RipEX A – VLAN configuration

Fig. 11.11: RipEX A – VLAN configuration

On RipEX B, turn the VLAN & Subnets option off.

The routing rules can stay exactly the same as in the previous ARP proxy example on both RipEX units. If you want to have RipEX A management (ETH) IP subnet reachable from RipEX B, you can add this routing rule: 192.168.3.0/24 via 10.10.10.2. But this is not necessary for the end-station connectivity.

Computer Configuration

PC #2 IP configuration is the same:

  • IP address: 192.168.2.2

  • Subnet Mask: 255.255.255.0

  • Default Gateway: 192.168.2.252

Setting of PC#1 is not so straightforward. Please set the following parameters:

  • IP address: 192.168.3.1

  • Subnet Mask: 255.255.255.0

  • Default Gateway: 192.168.3.251

As you can see we are connected to RipEX A within the 192.168.3.0/24 management IP subnet. But we still need to configure the VLAN interface. This step depends very much on the Operating system (OS) you use. We will describe the necessary steps in Ubuntu 12.04 and will give you a short Windows 7 example too.

Ubuntu 12.04

In the command prompt, run the following commands:

  • modprobe 8021q

  • vconfig add eth0 2

  • ip link set eth0.2 up

  • ip link set mtu 1496 dev eth0.2

  • ip addr add 192.168.2.1/24 dev eth0.2

The most important command is vconfig, which creates the VLAN interface called eth0.2. We enabled the interface, decreased the MTU because 4 additional bytes are added to each frame due to the VLAN tag and of course we assigned the IP address to the interface.

The last two commands create routes so any packet destined to the 192.168.2.2 or 192.168.2.252 is routed via 192.168.2.251 gateway (RipEX VLAN interface).

Windows 7

There is no tool like vconfig in Windows 7. The VLAN features depend on the network adapter and driver installed. Please see the respective download sites of your network card to obtain the correct VLAN enabled driver.

[Note]Note

There is also the possibility that your network card will not support VLANs at all.

To see what network card and driver you have, go to START → Control Panel → System and Security → Device manager → Network Adapters menu. Here you should see your network card. Right click on it and select the Properties option.

Adding VLANs in Windows 7

Fig. 11.12: Adding VLANs in Windows 7

On the example, we added a VLAN 2 interface. See the respective network card manuals for more details.

If you were successful in adding a new VLAN interface. You should see this interface among other physical network interfaces. Set the IP address, mask and gateway as usual:

  • IP address: 192.168.2.1

  • Subnet Mask: 255.255.255.0

  • Default Gateway: 192.168.2.251

Now you just need to add routes to the 192.168.2.2 and 192.168.2.252 IP addresses. Run the Command prompt and type:

  • route add 192.168.2.252 mask 255.255.255.255 192.168.2.251

  • route add 192.168.2.2 mask 255.255.255.255 192.168.2.251

[Note]Note

You need Admin privileges to add a route in Windows 7.

Test the Connectivity

The test is exactly the same as described in prvious chapters.

You can run the Monitoring feature in RipEX to capture packets on the radio/Ethernet interfaces and see Ethernet VLAN tags and other valuable information. See the following example:

Monitoring ping packets with VLAN tags

Fig. 11.13: Monitoring ping packets with VLAN tags

VLAN on “Both Ends”

We can also configure VLANs on both RipEX units so the VLAN (tagged) data will be transmitted via the Ethernet link between PC #2 and RipEX B too. However, traffic is always untagged on the radio channel.

See the following diagram:

VLAN configuration diagram #2

Fig. 11.14: VLAN configuration diagram #2

RipEX Configuration

RipEX A has the same configuration as in the previous example. If you want to test the connectivity of RipEX ETH interfaces, you need to add this routing rule:

  • Destination: 192.168.4.0/24, Mask: 255.255.255.0, Gateway 10.10.10.4

RipEX B needs several changes. Change the Ethernet IP address to 192.168.4.252 with the mask 255.255.255.0. Now go to the VLAN & Subnets menu, enable the feature and add a new VLAN – we will use VLAN ID 2 with the IP address 192.168.2.252.

RipEX B VLAN configuration

Fig. 11.15: RipEX B VLAN configuration

The VLAN ID is the same as used on RipEX A, but we can set any ID when needed.

[Note]Note

You can try to enable VLAN on the default interface after you complete this example.

The RipEX B routing table consists of three rules:

  • Destination: 192.168.2.251/32, Mask: 255.255.255.255, Gateway 10.10.10.2

  • Destination: 192.168.2.1/32, Mask: 255.255.255.255, Gateway 10.10.10.2

  • Destination: 192.168.3.0/24, Mask: 255.255.255.0, Gateway 10.10.10.2

RipEX B Routing table

Fig. 11.16: RipEX B Routing table

Computer Configuration

We do not need to change anything on PC #1. PC #2 needs the following changes:

  • IP address: 192.168.4.2, mask 255.255.255.0, gateway 192.168.4.252

Now we need to add the VLAN interface with an ID 2. See the procedure in the previous example.

When you have added the VLAN interface, add the following routing rules:

  • route add 192.168.2.251 mask 255.255.255.255 192.168.2.252

  • route add 192.168.2.1 mask 255.255.255.255 192.168.2.252

[Note]Note

You need the admin privileges to add a route in Windows 7.

Test the Connectivity

Follow the steps described in any of previous chapters called “Test the Connectivity”. You should be able to ping any VLAN or Ethernet IP address from any unit.

Management VLAN

Now you should be experienced enough for the next test. Set another VLAN ID on both computers. Use the same VLAN ID on ETH.0 interface for the RipEX management. You will have a “VLAN only” network.

See one of the possible examples:

15 Management VLAN diagram

Fig. 11.17: 15 Management VLAN diagram

[Note]Note

VLAN 2 is on the same subnet 192.168.2.0/24. VLAN 3 is on the subnet 192.168.3.0/24 and VLAN 4 is on the 192.168.4.0/24 subnet.

11.5. Summary

We have described just a few basic examples of VLAN & ARP proxy usage. Feel free to download the RipEX User manual from http://www.racom.eu/download/hw/ripex/free/eng/ripex-m-en.pdf or the Application notes from http://www.racom.eu/download/hw/ripex/free/eng/ripex-app-en.pdf to conduct further tests.

Do not hesitate to contact us if you have any questions:

RACOM technical support team
E-mail:
Tel.: +420 565 659 511