VLAN is an acronym for Virtual Local Area Network. Several VLANs can co-exist on a single physical switch, which are configured via Linux software and not through hardware interface (you still need to configure actual hardware switch too).
Hubs or switch connects all nodes in a LAN and node can communicate without a router. For example, all nodes in LAN A can communicate with each other without the need for a router. If a node from LAN A wants to communicate with LAN B node, you need to use a router. Therefore, each LAN (A, B, C and so on) are separated using a router.
VLAN as a name suggest combine multiple LANs at once. But, what are the advantages of VLAN?
- Ease of management.
- VLANs give you the ability to sub-divide a LAN for security purpose.
- You don't have to configure any hardware device, when physically moving server computer to another location and more.
Fundamental discussion about VLAN or switches is beyond the scope of this blog post. I suggest the following textbooks:
A note about your LAN hardware
- To be able to use VLANs you will need a switch that support the IEEE 802.1q standard on an Ethernet network.
- You will also need a NIC (Network Interface Card) that works with Linux and support 802.1q standard .
Linux VLAN configuration issues
I am lucky enough to get a couple of hints from our internal wiki:
- Not all network drivers support VLAN. You may need to patch your driver.
- MTU may be another problem. VLAN works by tagging each frame i.e. an Ethernet header extension that enlarges the header from 14 to 18 bytes. The VLAN tag contains the VLAN ID and priority.
- Do not use VLAN ID 1 as it may be used for admin purpose.
Enough talk, let's get to the Linux VLAN configurations.
Setting up 802.1q VLAN tagging by loading 8021q Linux kernel driver
First, make sure that the Linux kernel driver (module) called 8021q is loaded:
# lsmod | grep 8021q
If the module is not loaded, load it with the following modprobe command:
# modprobe 8021q
Method #1: CentOS/RHLE/Fedora Linux VLAN HowTo
I am using RHEL/CentOS Linux with VLAN ID # 5. So I need to copy file /etc/sysconfig/network-scripts/ifcfg-eth0 to /etc/sysconfig/network-scripts/ifcfg-eth0.5
# cp /etc/sysconfig/network-scripts/ifcfg-eth0 /etc/sysconfig/network-scripts/ifcfg-eth0.5
Now, I've one network card (eth0) and it needs to tagged network traffic for VLAN ID 5.
- eth0 - Your regular network interface
- eth0.5 - Your virtual interface that use untagged frames
Do not modify /etc/sysconfig/network-scripts/ifcfg-eth0 file. Now open file /etc/sysconfig/network-scripts/ifcfg-eth0.5 using a text editor such as vi, type:
# vi /etc/sysconfig/network-scripts/ifcfg-eth0.5
Find DEVICE=eth0 line and replace with:
Also, append the following line:
Make sure you assign correct IP address using DHCP or static IP. Remove gateway entry from all other network config files. Only add gateway to /etc/sysconfig/network file. This whole configuration may sound complicated. So I am including sample configurations files for you:
# VLAN configuration for my eth0 with ID - 5 # DEVICE=eth0.5 BOOTPROTO=none ONBOOT=yes IPADDR=192.168.1.5 NETMASK=255.255.255.0 USERCTL=no NETWORK=192.168.1.0 VLAN=yes
# Actual configuration for my eth0 physical interface ## DEVICE=eth0 TYPE=Ethernet BOOTPROTO=none ONBOOT=yes
Finally, restart networking service on a CentOS/RHEL/Fedora Linux, type:
# /etc/init.d/network restart
# service network restart
NOTE: If you need a second VLAN i.e. you need to configure for VLAN ID 2 then copy the /etc/sysconfig/network-scripts/ifcfg-eth0 to /etc/sysconfig/network-scripts/ifcfg-eth0.2 and do the above procedure again.
Method #2: Using the vconfig command
Above method is perfect and works with a Red hat Enterprise Linux / CentOS / Fedora Linux without any problem. However, you will notice that there is a command called vconfig. The vconfig program allows you to create and remove vlan-devices on a vlan enabled kernel. Vlan-devices are virtual Ethernet devices which represents the virtual lans on the physical lan. This is yet another method of configuring VLAN. To add VLAN ID 5 with following command for eth0 interface:
# vconfig add eth0 5
The vconfig add command creates a vlan-device on eth0 which result into eth0.5 interface. You can use normal ifconfig command to see device information:
# ifconfig eth0.5
Use ifconfig command to assign IP address to vlan interfere:
# ifconfig eth0.5 192.168.1.100 netmask 255.255.255.0 broadcast 192.168.1.255 up
To get detailed information about VLAN interface, type:
# cat /proc/net/vlan/eth0.5
If you wish to delete VLAN interface use delete command as follows:
# ifconfig eth0.5 down
# vconfig rem eth0.5
See vconfig(8) Linux man page for more information on syntax and examples.
Method #3: Create the VLAN device using the ip command
Use the ip command as follows for the interface eth0, and the vlan id is 5:
# ip link add link eth0 name eth0.5 type vlan id 5
# ip link
# ip -d link show eth0.5
You need to activate and add an IP address to vlan link, type:
# ip addr add 192.168.1.200/24 brd 192.168.1.255 dev eth0.5
# ip link set dev eth0.5 up
All traffic will go through the eth0 interface bith with a BLAN tag 5. Only VLAN aware devices can accept the traffic, otherwise the traffic is dropped.
How can I remove VLAN ID 5?
Type the following commands
# ip link set dev eth0.5 down
# ip link delete eth0.5
How do I make above VLAN configuration permanent on a Debian or Ubuntu based system?
Edit the /etc/network/interfaces file, enter:
$ sudo vi /etc/network/interfaces
Update configuration as follows:
## vlan for eth0 with ID - 5 on a Debian/Ubuntu Linux## auto eth0.5 iface eth0.5 inet static address 192.168.1.200 netmask 255.255.255.0 vlan-raw-device eth0
Save and close the file.
# Additional correction by John T and others; Editing by VG - log #TwitterFacebookGoogle+PDF versionFound an error/typo on this page? Help us!
- 30 Cool Open Source Software I Discovered in 2013
- 30 Handy Bash Shell Aliases For Linux / Unix / Mac OS X
- Top 30 Nmap Command Examples For Sys/Network Admins
- 25 PHP Security Best Practices For Sys Admins
- 20 Linux System Monitoring Tools Every SysAdmin Should Know
- 20 Linux Server Hardening Security Tips
- Linux: 20 Iptables Examples For New SysAdmins
- Top 20 OpenSSH Server Best Security Practices
- Top 20 Nginx WebServer Best Security Practices
- 20 Examples: Make Sure Unix / Linux Configuration Files Are Free From Syntax Errors
- 15 Greatest Open Source Terminal Applications Of 2012
- My 10 UNIX Command Line Mistakes
- Top 10 Open Source Web-Based Project Management Software
- Top 5 Email Client For Linux, Mac OS X, and Windows Users
- The Novice Guide To Buying A Linux Laptop