Comments on: Does the ISA Firewall Support VLAN Tagging?

by: MV

Wed, 18 Oct 2006 20:51:42 +0000

What about SP2 and the VB script in KB 912943?

At the end of the KB it says:

You cannot enable 802.1Q VLAN tagging and integrated NLB on the same interface of a network adapter. This limitation is imposed by NLB. (What Jim says above)

But then the KB also mentions:

You cannot enable both 802.1Q VLAN tagging and integrated NLB on different interfaces of a network adapter on ISA Server 2004, Enterprise Edition computers. To enable this functionality, you must install ISA Server 2004 SP2 and run the VBScript file that is described in the “Resolution” section.”

So there is some support for it but not on the same interface….

by: Jim Harrison

Wed, 04 Oct 2006 18:55:32 +0000

NLB; not ISA, is the limiting factor here.
You can’t use 802.1Q or 802.1ag with NLB because of the way NLB manipulates the packets.

by: Polom

Wed, 04 Oct 2006 15:12:38 +0000

Hello Tom,

I’m using an ISA Server 2004 to filter the traffic between many VLAN and IPSec tunnels (aka “remote sites”). All my VLAN are managed on a team (802.3ad) of gb adapters and everything works fine.

The only major drawback of that technical choice (Windows Server and ISA in the heart of my network !) is that I have no way to implement fault tolerance I would have loved migrating to ISA Server EE but it’s impossible, even for that such a critical system !

The reason is that, to my knowledge, there’s no way to use both ISA’s integrated NLB and 802.1Q.

In the long run it may lead me to use a different solution for my security need, because redundancy becomes a prerequisite for my company

Any ideas are welcome !

Best regards,
Polom.