Table of contents

2. Layer-2 Ethernet-based VPN

    Table of contents
    You are currently comparing two old versions - only when you are comparing against the latest version can you revert. Return to version archive.

    Combined revision comparison

    Comparing version 18:20, 22 Feb 2013 by yagi with version 10:58, 28 Feb 2019 by seoss.

    ...

    SoftEther VPN encapsulates Ethernet over HTTPS to transmit frames over Internet.

    ...

    Ethernet switch, as known as HubHUB or Layer-2 Switch, is a device to exchange packets between Ethernet hosts. A switch has a FDB (Forwarding Database) inside itself in order to determine the appropriate destination port of outgoing for a packet which came from incoming port. This behavior is called as "Switching" as a major function of switches.

    ...

    SoftEther VPN virtualizes Ethernet switch and emulate it. The virtual Ethernet switch is called "Virtual HubHUB" in the software. And SoftEther VPN virtualizes Ethernet adapter and emulate it. The virtual Ethernet adapter is called "Virtual Network Adapter" in the software. SoftEther VPN also virtualizes Ethernet network cable and emulates it. The virtual Ethernet network cable is called "VPN Session" or "VPN Tunnel" in the software.

    Above three elements are important to understand SoftEther VPN. For example, when you want to build a remote access VPN in order to accept VPN connections from remote site to the company LAN, you will create a Virtual HubHUB on the VPN Server in the company LAN. That Virtual HubHUB constructs an Ethernet segment. And you connect both the Virtual HubHUB and the physical network adapter on the server computer mutually. Then both segments of the Virtual HubHUB and the existing physical LAN are now combined and united as the single Ethernet segment. And you will install VPN Client software on the remote client PC, for instance, laptop PC. VPN Client software can create a Virtual Network Adapter on the client PC. You will create a connection setting in order to connect the VPN Client to the Virtual HubHUB on the VPN Server in your company. When you ignite the connection, a new VPN Session will be established between the Virtual Network Adapter and the Virtual HubHUB. This situation is very similar that you attach the one-side of an Ethernet cable to the physical HubHUB and the other-side to the physical Ethernet adapter on the computer. Not only similar, but it is also exactly same in the logical aspect of behavior of Ethernet. After you established the VPN connection, you can send and receive any protocols suitable for Ethernet. All packets are transmitted on the virtual cable, as called as VPN Session or VPN Tunnel.

    ...

    A Virtual Hub is a software-implemented Ethernet Switch. It exchanges packets between devices.

    ...

    You can create a lot of Virtual Hubs on SoftEther VPN Server. Each Virtual Hub is isolated to others.

    ...

    You can create a lot of Virtual Network Adapter on the client-side PC with SoftEther VPN Client.
    Each Virtual Network Adapter is regarded as a "real" Ethernet adapter as if it is attached on the PC.
     

    ...

    Unlike legacy IPsec or PPTP VPNs, SoftEther VPN Protocol can carry any kinds of packets.
    You can enjoy any applications which are "local-network oriented" without no modifications.

    ...

    SoftEther VPN Client behaves as same as the computer is physically connected to the local area network.
    For example, unlike layer-3 based VPNs, Windows Client PC in your home will enumerate computers
    on the office network.

    ...

    You can treat a Site-to-Site VPN as "very-long Ethernet cable between remote sites".

    2.5. Virtual HubsHUBs, Cascades and Local Bridges

    SoftEther VPN Server and SoftEther VPN Bridge has the concepts of Virtual HubsHUBs, Cascades and Local Bridges.

    Virtual HubHUB

    A Virtual HubHUB is an entity on the VPN Server and VPN Bridge which emulates a behavior of Ethernet switches in the real world. A Virtual HubHUB has its own FDB (Forwarding Database). Many of VPN Sessions will be connected to a Virtual HubHUB. Then every endpoint of VPN sessions can send and receive any Ethernet packets.

    Any Virtual HubHUB can accept connections from both of VPN Clients and other Virtual HubsHUBs. VPN Client is a software program which is running on the user's client-endpoint PC.

    ...

    Virtual Hub has many connected VPN sessions and Forwarding Database (FDB) to learn MAC addresses.

    ...

    ss2.5_1.jpg
    Like physical Ethernet Switch products, Virtual Hub learns MAC addresses of each VPN sessions automatically.

    ...

    On SoftEther VPN Server, you can create multiple Virtual HubsHUBs as you wish (up to 4096). Every Virtual HubHUB constructs own Ethernet segment and totally separated to other HubsHUBs even they are located on the same VPN Server computer. It is similar to a situation that there are some Ethernet switches on the same desk. Each Ethernet switch is not connected mutually so each Ethernet segment is independent. But if you connect an Ethernet network cable between any ports of every switch, Ethernet segments will be united as you did. As same as that, you can create a link between virtual HubsHUBs on the same computer if necessary. It is called "Cascade Connection" or simply "Cascade" . Cascade is a popular technical term of Ethernet. If a cascade connection is established, then every Ethernet segment on each Virtual HubHUB is now united as a single segment.

    And you can also create a cascade connection between remote VPN Servers. So if you have VPN Server on both side of Tokyo and Beijing, and each VPN Server has a Virtual HubHUB, then you can establish a cascade connection between two Hubs. Then each HubHUBs. Then each HUB is now united as a single segment. A computer which is belonging to Tokyo's HubHUB is now able to communicate to another computer which is belonging to Beijing's HubHUB.

    You can also define multiple cascade connections on a Virtual HubHUB.

    ...

    Define a cascade connection with GUI. It is very easy.

    ...

    Only the situation of existences of Virtual HubsHUBs, cascades and VPN Clients is not so convenient, because every computers have to be installed VPN Client each and have to connect to a Virtual HubHUB in order to make a communication between computers mutually. In that usage, any computers which are outside of the Virtual HubHUB's segment cannot participate in the communication circle. It is possible but not good for company use of VPN.

    The Local Bridge function can be used to extend an Ethernet segment in Virtual HubsHUBs to the outside physical Ethernet segments.

    Local Bridge is a technology to unite the virtual Ethernet segment and the physical Ethernet segment. You company has an existing Ethernet segment on the psychical Ethernet switch. To realize a usable remote either accessing VPN or site-to-site VPN, you have to connect between the Ethernet segment on the Virtual HubHUB and the Ethernet segment on the physical Ethernet switch somehow. The answer is to use Local Bridge. Local Bridge can be created for a purpose to make two segments to exchange Ethernet packets mutually. If you have a Local Bridge between the physical Ethernet segment and the Virtual HubHUB's segment, then all computers who are connecting on the Virtual HubHUB can communicate to all computers on the physical existing network. Practically, Local Bridges must be applied between a Virtual HubHUB and an Ethernet network adapter which is connected to the physical Ethernet switch. So in order to use Local Bridge you need dedicated physical Ethernet adapter. (In fact, the Ethernet adapter can be shared with other purpose, such as transmitting packets physically to the Internet in order to keep the VPN Session, but it is highly recommended to prepare a dedicated one due to performance matter.)

    ...

    Local Bridge is a function to link between Virtual Segments and Physical Segments.

    ...

    Combination of Local Bridge and Cascade Connection can build widely-spreaded Site-to-Site VPNs.
    You can bind a lot of branches around the world.

    ...

    To define a local bridge, select a Virtual Hub and a Physical Ethernet Adapter, and just click a button.

    ...

    Virtual Hub can insert or remove IEEE802.1Q VLAN tag. VLAN settings is per user or group.

    ...

    Define a "VLAN ID (IEEE802.1Q)" security policy per a user or per a group.

    ...

    Virtual Hub learns both MAC addresses and VLAN IDs association.

    ...

    You can create not only virtual layer-2 switch (Virtual HubHUB) on the VPN Server, but also you can create Virtual Layer-3 Switch on the VPN Server. Layer-3 switch is an entity acts with behavior same as IP router. Current version of SoftEther VPN supports only IPv4 protocol on any Layer-3 Switches. Same as Virtual HubsHUBs, you can create multiple Virtual Layer-3 Switches on a VPN Server.

    A Virtual Layer-3 Switch has multiple virtual interfaces and each interface can be connected to the Virtual HubsHUBs on the same VPN Server. Then you can organize IPv4 subnet routing for inter-Virtual HubsHUBs. If you want to create separated several Virtual HubsHUBs for any reason, for example security or management convenience, but you want to enable them to be routed by IPv4 traditional routing mechanisms, it is a simple way to create Virtual Layer-3 Switches to fulfill your demand rather than placing the physical IP routers or expensive layer-3 switch products on the physical network.

    ...

    Virtual Layer-3 Switch is a software-based IP router.

    ...

    You can create unlimited number of Virtual Layer-3 Switches.
    You can define unlimited number of Virtual Interfaces and Routing Table Entries.

    Version from 18:20, 22 Feb 2013

    This revision modified by yagi (Ban)

    ...

    Ethernet switch, as known as HUB or Layer-2 Switch, is a device to exchange packets between Ethernet hosts. A switch has a FDB (Forwarding Database) inside itself in order to determine the appropriate destination port of outgoing for a packet which came from incoming port. This behavior is called as "Switching" as a major function of switches.

    ...

    SoftEther VPN virtualizes Ethernet switch and emulate it. The virtual Ethernet switch is called "Virtual HUB" in the software. And SoftEther VPN virtualizes Ethernet adapter and emulate it. The virtual Ethernet adapter is called "Virtual Network Adapter" in the software. SoftEther VPN also virtualizes Ethernet network cable and emulates it. The virtual Ethernet network cable is called "VPN Session" or "VPN Tunnel" in the software.

    Above three elements are important to understand SoftEther VPN. For example, when you want to build a remote access VPN in order to accept VPN connections from remote site to the company LAN, you will create a Virtual HUB on the VPN Server in the company LAN. That Virtual HUB constructs an Ethernet segment. And you connect both the Virtual HUB and the physical network adapter on the server computer mutually. Then both segments of the Virtual HUB and the existing physical LAN are now combined and united as the single Ethernet segment. And you will install VPN Client software on the remote client PC, for instance, laptop PC. VPN Client software can create a Virtual Network Adapter on the client PC. You will create a connection setting in order to connect the VPN Client to the Virtual HUB on the VPN Server in your company. When you ignite the connection, a new VPN Session will be established between the Virtual Network Adapter and the Virtual HUB. This situation is very similar that you attach the one-side of an Ethernet cable to the physical HUB and the other-side to the physical Ethernet adapter on the computer. Not only similar, but it is also exactly same in the logical aspect of behavior of Ethernet. After you established the VPN connection, you can send and receive any protocols suitable for Ethernet. All packets are transmitted on the virtual cable, as called as VPN Session or VPN Tunnel.

    ...

    2.5. Virtual HUBs, Cascades and Local Bridges

    SoftEther VPN Server and SoftEther VPN Bridge has the concepts of Virtual HUBs, Cascades and Local Bridges.

    Virtual HUB

    A Virtual HUB is an entity on the VPN Server and VPN Bridge which emulates a behavior of Ethernet switches in the real world. A Virtual HUB has its own FDB (Forwarding Database). Many of VPN Sessions will be connected to a Virtual HUB. Then every endpoint of VPN sessions can send and receive any Ethernet packets.

    Any Virtual HUB can accept connections from both of VPN Clients and other Virtual HUBs. VPN Client is a software program which is running on the user's client-endpoint PC.

    ...

    On SoftEther VPN Server, you can create multiple Virtual HUBs as you wish (up to 4096). Every Virtual HUB constructs own Ethernet segment and totally separated to other HUBs even they are located on the same VPN Server computer. It is similar to a situation that there are some Ethernet switches on the same desk. Each Ethernet switch is not connected mutually so each Ethernet segment is independent. But if you connect an Ethernet network cable between any ports of every switch, Ethernet segments will be united as you did. As same as that, you can create a link between virtual HUBs on the same computer if necessary. It is called "Cascade Connection" or simply "Cascade" . Cascade is a popular technical term of Ethernet. If a cascade connection is established, then every Ethernet segment on each Virtual HUB is now united as a single segment.

    And you can also create a cascade connection between remote VPN Servers. So if you have VPN Server on both side of Tokyo and Beijing, and each VPN Server has a Virtual HUB, then you can establish a cascade connection between two HUBs. Then each HUB is now united as a single segment. A computer which is belonging to Tokyo's HUB is now able to communicate to another computer which is belonging to Beijing's HUB.

    You can also define multiple cascade connections on a Virtual HUB.

    ...

    Only the situation of existences of Virtual HUBs, cascades and VPN Clients is not so convenient, because every computers have to be installed VPN Client each and have to connect to a Virtual HUB in order to make a communication between computers mutually. In that usage, any computers which are outside of the Virtual HUB's segment cannot participate in the communication circle. It is possible but not good for company use of VPN.

    The Local Bridge function can be used to extend an Ethernet segment in Virtual HUBs to the outside physical Ethernet segments.

    Local Bridge is a technology to unite the virtual Ethernet segment and the physical Ethernet segment. You company has an existing Ethernet segment on the psychical Ethernet switch. To realize a usable remote either accessing VPN or site-to-site VPN, you have to connect between the Ethernet segment on the Virtual HUB and the Ethernet segment on the physical Ethernet switch somehow. The answer is to use Local Bridge. Local Bridge can be created for a purpose to make two segments to exchange Ethernet packets mutually. If you have a Local Bridge between the physical Ethernet segment and the Virtual HUB's segment, then all computers who are connecting on the Virtual HUB can communicate to all computers on the physical existing network. Practically, Local Bridges must be applied between a Virtual HUB and an Ethernet network adapter which is connected to the physical Ethernet switch. So in order to use Local Bridge you need dedicated physical Ethernet adapter. (In fact, the Ethernet adapter can be shared with other purpose, such as transmitting packets physically to the Internet in order to keep the VPN Session, but it is highly recommended to prepare a dedicated one due to performance matter.)

    ...

    You can create not only virtual layer-2 switch (Virtual HUB) on the VPN Server, but also you can create Virtual Layer-3 Switch on the VPN Server. Layer-3 switch is an entity acts with behavior same as IP router. Current version of SoftEther VPN supports only IPv4 protocol on any Layer-3 Switches. Same as Virtual HUBs, you can create multiple Virtual Layer-3 Switches on a VPN Server.

    A Virtual Layer-3 Switch has multiple virtual interfaces and each interface can be connected to the Virtual HUBs on the same VPN Server. Then you can organize IPv4 subnet routing for inter-Virtual HUBs. If you want to create separated several Virtual HUBs for any reason, for example security or management convenience, but you want to enable them to be routed by IPv4 traditional routing mechanisms, it is a simple way to create Virtual Layer-3 Switches to fulfill your demand rather than placing the physical IP routers or expensive layer-3 switch products on the physical network.

    ...

    Current version

    This revision modified by seoss (Ban)

    ...

    SoftEther VPN encapsulates Ethernet over HTTPS to transmit frames over Internet.

    ...

    Ethernet switch, as known as Hub or Layer-2 Switch, is a device to exchange packets between Ethernet hosts. A switch has a FDB (Forwarding Database) inside itself in order to determine the appropriate destination port of outgoing for a packet which came from incoming port. This behavior is called as "Switching" as a major function of switches.

    ...

    SoftEther VPN virtualizes Ethernet switch and emulate it. The virtual Ethernet switch is called "Virtual Hub" in the software. And SoftEther VPN virtualizes Ethernet adapter and emulate it. The virtual Ethernet adapter is called "Virtual Network Adapter" in the software. SoftEther VPN also virtualizes Ethernet network cable and emulates it. The virtual Ethernet network cable is called "VPN Session" or "VPN Tunnel" in the software.

    Above three elements are important to understand SoftEther VPN. For example, when you want to build a remote access VPN in order to accept VPN connections from remote site to the company LAN, you will create a Virtual Hub on the VPN Server in the company LAN. That Virtual Hub constructs an Ethernet segment. And you connect both the Virtual Hub and the physical network adapter on the server computer mutually. Then both segments of the Virtual Hub and the existing physical LAN are now combined and united as the single Ethernet segment. And you will install VPN Client software on the remote client PC, for instance, laptop PC. VPN Client software can create a Virtual Network Adapter on the client PC. You will create a connection setting in order to connect the VPN Client to the Virtual Hub on the VPN Server in your company. When you ignite the connection, a new VPN Session will be established between the Virtual Network Adapter and the Virtual Hub. This situation is very similar that you attach the one-side of an Ethernet cable to the physical Hub and the other-side to the physical Ethernet adapter on the computer. Not only similar, but it is also exactly same in the logical aspect of behavior of Ethernet. After you established the VPN connection, you can send and receive any protocols suitable for Ethernet. All packets are transmitted on the virtual cable, as called as VPN Session or VPN Tunnel.

    ...

    A Virtual Hub is a software-implemented Ethernet Switch. It exchanges packets between devices.

    ...

    You can create a lot of Virtual Hubs on SoftEther VPN Server. Each Virtual Hub is isolated to others.

    ...

    You can create a lot of Virtual Network Adapter on the client-side PC with SoftEther VPN Client.
    Each Virtual Network Adapter is regarded as a "real" Ethernet adapter as if it is attached on the PC.
     

    ...

    Unlike legacy IPsec or PPTP VPNs, SoftEther VPN Protocol can carry any kinds of packets.
    You can enjoy any applications which are "local-network oriented" without no modifications.

    ...

    SoftEther VPN Client behaves as same as the computer is physically connected to the local area network.
    For example, unlike layer-3 based VPNs, Windows Client PC in your home will enumerate computers
    on the office network.

    ...

    You can treat a Site-to-Site VPN as "very-long Ethernet cable between remote sites".

    2.5. Virtual Hubs, Cascades and Local Bridges

    SoftEther VPN Server and SoftEther VPN Bridge has the concepts of Virtual Hubs, Cascades and Local Bridges.

    Virtual Hub

    A Virtual Hub is an entity on the VPN Server and VPN Bridge which emulates a behavior of Ethernet switches in the real world. A Virtual Hub has its own FDB (Forwarding Database). Many of VPN Sessions will be connected to a Virtual Hub. Then every endpoint of VPN sessions can send and receive any Ethernet packets.

    Any Virtual Hub can accept connections from both of VPN Clients and other Virtual Hubs. VPN Client is a software program which is running on the user's client-endpoint PC.

    ...

    Virtual Hub has many connected VPN sessions and Forwarding Database (FDB) to learn MAC addresses.

    ...

    ss2.5_1.jpg
    Like physical Ethernet Switch products, Virtual Hub learns MAC addresses of each VPN sessions automatically.

    ...

    On SoftEther VPN Server, you can create multiple Virtual Hubs as you wish (up to 4096). Every Virtual Hub constructs own Ethernet segment and totally separated to other Hubs even they are located on the same VPN Server computer. It is similar to a situation that there are some Ethernet switches on the same desk. Each Ethernet switch is not connected mutually so each Ethernet segment is independent. But if you connect an Ethernet network cable between any ports of every switch, Ethernet segments will be united as you did. As same as that, you can create a link between virtual Hubs on the same computer if necessary. It is called "Cascade Connection" or simply "Cascade" . Cascade is a popular technical term of Ethernet. If a cascade connection is established, then every Ethernet segment on each Virtual Hub is now united as a single segment.

    And you can also create a cascade connection between remote VPN Servers. So if you have VPN Server on both side of Tokyo and Beijing, and each VPN Server has a Virtual Hub, then you can establish a cascade connection between two Hubs. Then each Hub is now united as a single segment. A computer which is belonging to Tokyo's Hub is now able to communicate to another computer which is belonging to Beijing's Hub.

    You can also define multiple cascade connections on a Virtual Hub.

    ...

    Define a cascade connection with GUI. It is very easy.

    ...

    Only the situation of existences of Virtual Hubs, cascades and VPN Clients is not so convenient, because every computers have to be installed VPN Client each and have to connect to a Virtual Hub in order to make a communication between computers mutually. In that usage, any computers which are outside of the Virtual Hub's segment cannot participate in the communication circle. It is possible but not good for company use of VPN.

    The Local Bridge function can be used to extend an Ethernet segment in Virtual Hubs to the outside physical Ethernet segments.

    Local Bridge is a technology to unite the virtual Ethernet segment and the physical Ethernet segment. You company has an existing Ethernet segment on the psychical Ethernet switch. To realize a usable remote either accessing VPN or site-to-site VPN, you have to connect between the Ethernet segment on the Virtual Hub and the Ethernet segment on the physical Ethernet switch somehow. The answer is to use Local Bridge. Local Bridge can be created for a purpose to make two segments to exchange Ethernet packets mutually. If you have a Local Bridge between the physical Ethernet segment and the Virtual Hub's segment, then all computers who are connecting on the VirtualHub can communicate to all computers on the physical existing network. Practically, Local Bridges must be applied between a Virtual Hub and an Ethernet network adapter which is connected to the physical Ethernet switch. So in order to use Local Bridge you need dedicated physical Ethernet adapter. (In fact, the Ethernet adapter can be shared with other purpose, such as transmitting packets physically to the Internet in order to keep the VPN Session, but it is highly recommended to prepare a dedicated one due to performance matter.)

    ...

    Local Bridge is a function to link between Virtual Segments and Physical Segments.

    ...

    Combination of Local Bridge and Cascade Connection can build widely-spreaded Site-to-Site VPNs.
    You can bind a lot of branches around the world.

    ...

    To define a local bridge, select a Virtual Hub and a Physical Ethernet Adapter, and just click a button.

    ...

    Virtual Hub can insert or remove IEEE802.1Q VLAN tag. VLAN settings is per user or group.

    ...

    Define a "VLAN ID (IEEE802.1Q)" security policy per a user or per a group.

    ...

    Virtual Hub learns both MAC addresses and VLAN IDs association.

    ...

    You can create not only virtual layer-2 switch (Virtual Hub) on the VPN Server, but also you can create Virtual Layer-3 Switch on the VPN Server. Layer-3 switch is an entity acts with behavior same as IP router. Current version of SoftEther VPN supports only IPv4 protocol on any Layer-3 Switches. Same as Virtual Hubs, you can create multiple Virtual Layer-3 Switches on a VPN Server.

    A Virtual Layer-3 Switch has multiple virtual interfaces and each interface can be connected to the Virtual Hubs on the same VPN Server. Then you can organize IPv4 subnet routing for inter-Virtual Hubs. If you want to create separated several Virtual Hubs for any reason, for example security or management convenience, but you want to enable them to be routed by IPv4 traditional routing mechanisms, it is a simple way to create Virtual Layer-3 Switches to fulfill your demand rather than placing the physical IP routers or expensive layer-3 switch products on the physical network.

    ...

    Virtual Layer-3 Switch is a software-based IP router.

    ...

    You can create unlimited number of Virtual Layer-3 Switches.
    You can define unlimited number of Virtual Interfaces and Routing Table Entries.