HowTo: Configure Linux Virtual Local Area Network (VLAN)

VLAN is an acronym for Virtual Local Area Network. Several VLANs can co-exist on a single physical switch, which are configured via Linux software and not through hardware interface (you still need to configure actual hardware switch too).

Hubs or switch connects all nodes in a LAN and node can communicate without a router. For example, all nodes in LAN A can communicate with each other without the need for a router. If a node from LAN A wants to communicate with LAN B node, you need to use a router. Therefore, each LAN (A, B, C and so on) are separated using a router.

Advertisement

VLAN as a name suggest combine multiple LANs at once. But, what are the advantages of VLAN?

  • Performance.
  • Ease of management.
  • Security.
  • Trunks.
  • VLANs give you the ability to sub-divide a LAN for security purpose.
  • You don’t have to configure any hardware device, when physically moving server computer to another location and more.

Fundamental discussion about VLAN or switches is beyond the scope of this blog post. I suggest the following textbooks:

A note about your LAN hardware

  1. To be able to use VLANs you will need a switch that support the IEEE 802.1q standard on an Ethernet network.
  2. You will also need a NIC (Network Interface Card) that works with Linux and support 802.1q standard .

Linux VLAN configuration issues

I am lucky enough to get a couple of hints from our internal wiki:

  • Not all network drivers support VLAN. You may need to patch your driver.
  • MTU may be another problem. VLAN works by tagging each frame i.e. an Ethernet header extension that enlarges the header from 14 to 18 bytes. The VLAN tag contains the VLAN ID and priority.
  • Do not use VLAN ID 1 as it may be used for admin purpose.

Enough talk, let’s get to the Linux VLAN configurations.

Setting up 802.1q VLAN tagging by loading 8021q Linux kernel driver

First, make sure that the Linux kernel driver (module) called 8021q is loaded:
# lsmod | grep 8021q
If the module is not loaded, load it with the following modprobe command:
# modprobe 8021q

Method #1: CentOS/RHLE/Fedora Linux VLAN HowTo

I am using RHEL/CentOS Linux with VLAN ID # 5. So I need to copy file /etc/sysconfig/network-scripts/ifcfg-eth0 to /etc/sysconfig/network-scripts/ifcfg-eth0.5
# cp /etc/sysconfig/network-scripts/ifcfg-eth0 /etc/sysconfig/network-scripts/ifcfg-eth0.5
Now, I’ve one network card (eth0) and it needs to tagged network traffic for VLAN ID 5.

  • eth0 – Your regular network interface
  • eth0.5 – Your virtual interface that use untagged frames

Do not modify /etc/sysconfig/network-scripts/ifcfg-eth0 file. Now open file /etc/sysconfig/network-scripts/ifcfg-eth0.5 using a text editor such as vi, type:
# vi /etc/sysconfig/network-scripts/ifcfg-eth0.5
Find DEVICE=eth0 line and replace with:
DEVICE=eth0.5
Also, append the following line:
VLAN=yes
Make sure you assign correct IP address using DHCP or static IP. Remove gateway entry from all other network config files. Only add gateway to /etc/sysconfig/network file. This whole configuration may sound complicated. So I am including sample configurations files for you:

/etc/sysconfig/network-scripts/ifcfg-eth0.5 file

# VLAN configuration for my eth0  with ID - 5 #
DEVICE=eth0.5
BOOTPROTO=none
ONBOOT=yes
IPADDR=192.168.1.5
NETMASK=255.255.255.0
USERCTL=no
NETWORK=192.168.1.0
VLAN=yes

/etc/sysconfig/network-scripts/ifcfg-eth0 file

# Actual configuration for my eth0 physical interface ##
DEVICE=eth0
TYPE=Ethernet
BOOTPROTO=none
ONBOOT=yes

Finally, restart networking service on a CentOS/RHEL/Fedora Linux, type:
# /etc/init.d/network restart
OR
# service network restart

NOTE: If you need a second VLAN i.e. you need to configure for VLAN ID 2 then copy the /etc/sysconfig/network-scripts/ifcfg-eth0 to /etc/sysconfig/network-scripts/ifcfg-eth0.2 and do the above procedure again.

Method #2: Using the vconfig command

Above method is perfect and works with a Red hat Enterprise Linux / CentOS / Fedora Linux without any problem. However, you will notice that there is a command called vconfig. The vconfig program allows you to create and remove vlan-devices on a vlan enabled kernel. Vlan-devices are virtual Ethernet devices which represents the virtual lans on the physical lan. This is yet another method of configuring VLAN. To add VLAN ID 5 with following command for eth0 interface:
# vconfig add eth0 5
The vconfig add command creates a vlan-device on eth0 which result into eth0.5 interface. You can use normal ifconfig command to see device information:
# ifconfig eth0.5
Use ifconfig command to assign IP address to vlan interfere:
# ifconfig eth0.5 192.168.1.100 netmask 255.255.255.0 broadcast 192.168.1.255 up
To get detailed information about VLAN interface, type:
# cat /proc/net/vlan/eth0.5
If you wish to delete VLAN interface use delete command as follows:
# ifconfig eth0.5 down
# vconfig rem eth0.5

See for more information on syntax and examples.

Method #3: Create the VLAN device using the ip command

Use the ip command as follows for the interface eth0, and the vlan id is 5:
# ip link add link eth0 name eth0.5 type vlan id 5
# ip link
# ip -d link show eth0.5

You need to activate and add an IP address to vlan link, type:
# ip addr add 192.168.1.200/24 brd 192.168.1.255 dev eth0.5
# ip link set dev eth0.5 up

All traffic will go through the eth0 interface bith with a BLAN tag 5. Only VLAN aware devices can accept the traffic, otherwise the traffic is dropped.

How can I remove VLAN ID 5?

Type the following commands
# ip link set dev eth0.5 down
# ip link delete eth0.5

How do I make above VLAN configuration permanent on a Debian or Ubuntu based system?

Edit the /etc/network/interfaces file, enter:
$ sudo vi /etc/network/interfaces
Update configuration as follows:

## vlan for eth0 with ID - 5 on a Debian/Ubuntu Linux##
auto eth0.5
iface eth0.5 inet static
    address 192.168.1.200
    netmask 255.255.255.0
    vlan-raw-device eth0

Save and close the file.

See also
  • Man pages –

# Additional correction by John T and others; Editing by VG – log #

πŸ₯Ί Was this helpful? Please add a comment to show your appreciation or feedback.

nixCrat Tux Pixel Penguin
Hi! 🀠
I'm Vivek Gite, and I write about Linux, macOS, Unix, IT, programming, infosec, and open source. Subscribe to my RSS feed or email newsletter for updates.

56 comments… add one
  • after reading,there are some question Jun 20, 2008 @ 21:46

    Ye,after reading this topic,I learn a lot.So first,say thanks everyone.
    Back to this topic,I have a question.
    At say of topic owner,”an Ethernet header extension that enlarges the header from 14 to 18 bytes”,what means? I capture a frame. A Ethernet header contains destination,source,type fields.(I use adsl).And en-largeing above means add a field at Ethernet header,or add one in other place?
    My Goal is building a experiment environment for network communication. It will be a complex one.It contains hundreds nodes with multiple topology structures.
    Could someone give me a hand?And is vlan OK for it?If not,which can?

  • shirish Jul 17, 2008 @ 9:30

    very Helpful

  • D Sep 26, 2008 @ 17:49

    It worked

  • siva Nov 14, 2008 @ 8:33

    Hey folks,

    I have a couple of questions:

    1.If i want to copy a file from my windows desktop to my linux (RHEL 4.0) virtual machine, how should i do it?

    2.How can i assign ip address to my virtual machine?

    Thanks
    NSiva

  • dekkard Dec 25, 2008 @ 6:04

    very nice! 2 minutes & vlans are set
    thanx

  • sathishenet Feb 10, 2009 @ 6:49

    Hi All,

    Very very basic question, for configuring VLAN in Linux is that necessary to have a manageable switches ??

    Thanks,
    Sathish

  • Manisha Apr 20, 2009 @ 12:20

    Can you give me the whole codes for virtual lan. and there should be browser and it should allow us to access a file from another ip address and it should allow copy, paste, save, open commands in that programm for that access file.

  • Shlomi May 25, 2009 @ 12:31

    The line “DEVICE=ifcfg-eth0.5”, should be written as “DEVICE=eth0.5” !!!

  • Arun Menon Nov 26, 2009 @ 10:48

    hey folks
    how can i configure the vlan priority bits on the ethernet header…it wud be of gr8 help if ne1 could provide som inputs on this

    regards
    Arun

  • Venkat Jan 17, 2010 @ 2:44

    In the above test I have seen the statement like “Remove gateway entry from all other network config files.” How can I find the places where the gateway is configured on the system ?

    Please let me know how can I test my vlan config using one single Linux PC ?

  • sayantan Feb 7, 2010 @ 8:18

    is it virtual ip?can it be used with RAC?

  • hafeez Mar 18, 2010 @ 7:29

    A working configuration example from hafeezisbad@gmail.com

    Server ip : 172.27.0.10
    Swtich ip / gateway ip of server : 172.27.0.100
    Option domain Γ’β‚¬β€œname servers : 172.27.0.6

    Please note default vlan 172.27.0.x in this case

    Switch and server need to be in default lan for communication / or else we need to trunk in case other vlan connected , we need to configure vconfig on server to communicate

    For biggner I would recommend to go for the default vlan connectivity

    Example :

    ddns-update-style interim;
    ignore client-updates;
    default-lease-time 43200;
    max-lease-time 43200;
    authoritative;
    
    
    #-----subnet mask-- broadcast-- gateway-#
    
    option subnet-mask 255.255.255.0;
    #option broadcast-address 192.168.1.1;
    option routers 172.27.0.100;
    option domain-name-servers 172.27.0.6;
    
    
    # ----------- Server Scope and vlan1 with switches and server--------------#
    subnet 172.27.0.0 netmask 255.255.255.0 {
    #range 172.27.0.0 172.27.0.50;
    option routers 172.27.0.1;
    #option subnet-mask 255.255.255.0;
    option broadcast-address 172.27.0.255;
    #option domain-name-servers 172.27.0.5;
    }
    
    
    # ----------- clients1 Scope-vlan2-------------#
    subnet 172.27.1.0 netmask 255.255.255.0 {
    range 172.27.1.3 172.27.1.200;
    option routers 172.27.1.1;
    option subnet-mask 255.255.255.0;
    option broadcast-address 172.27.1.255;
    #option domain-name-servers 192.168.1.1 #
    }
    
    
    Save the file
    
    Chkconfig Γ’β‚¬β€œlist dhcpd on

    { For enabling the service on all run levels }
    Service dhcpd start
    In case , dhcp server faild to start , check with log messages

    /var/log/messages

    Check for the ip helper address in layer 3 swtich , which act as dhcp-relay
    Which has to be configured as 172.27.0.10

    Troubleshooting Dhcp server start up error :

    1) Run the Dhcp service in debug mode
    2) Check the ip configuration
    3) Check for syntax errors in dhcpd.conf file
    4) Check for the right location of the dhcpd file
    5) Ping test between the switch and server
    6) Possible conflict of other dhcp server may be the issue

    dhcpd in the foreground in debug mode with /usr/sbin/dhcpd -d Γ’β‚¬β€œf

    Hopefully, a DHCP server like the one weÒ€ℒll be configuring will respond. Running tcpdump shows a dhcp request looks like:
    17:26:02.003956 00:00:00:00:00:00 > ff:ff:ff:ff:ff:ff, ethertype IPv4 (0Γƒβ€”0800), length 342: 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request, length 300
    You should notice DHCP running in the process (ps) list. Any problems, check syslog

    Congratulations you have finally configured In easy steps

  • kashyap Apr 6, 2010 @ 7:14

    Hi,
    I have just installed rh5 in a Xen server. I have attached a vlan to the virtual rh5 server.
    The problem is I am unable to view any interface. I see only loop back device.
    I have even tried modprobe 8021q but still no success.
    I am using 2.6.18-92.el5xen kernal.
    Any help would be great

  • Redman Apr 21, 2010 @ 9:49

    hi all

    we are on a VLAN Network my issue is on the dhcpd.conf side coz wana configure My opensuse 11 box to serve ip’s (DHCP Server) on diffrent VLAN , Wana Replace our Windows DHCP Server for some Technical Reasons , my susebux has only one phsysical Network interface , is this possible to serve all VLAN? iphelper is already confgured on our L3 Switches , actually OUr Windows DHCP Server is already runnning and serving this vlans , but i just wana replace it with linux

    is this a dhcpd issue to vconfig?

    heres is our VLAN Scheme

    Dept.1

    VLAN # xx
    Range : 192.168.24.xxx-xxx

    Dept.2
    VLAN # xx
    Range : 192.168.24.xxx – xxx

    Dept.3
    VLAN # xx
    Range : 192.168.24.xxx-xxx

    Dept.4
    VLAN #xx
    Range : 192.168.24.xxx-xxx

    Dept. 5
    VLAN # xx
    Range 192.168.20.xxx.xxx

  • Bo Svensson May 8, 2010 @ 11:37

    Hi all!
    I want to set up a functionality rich, cost efficient, energy efficient, network like this:
    – A Linux box (e.g. based on a Mini-ITX with one NIC),
    connected to a managed switch (with VLAN support, like DES-3010GA).
    The link between Linux box and switch will be only tagged (all VLAN:s).
    On the switch I want untagged VLAN:s, like “internet”, “DMZ” and “LAN”.

    My question: Can the Linux box be both VLAN manager and router (replace
    a Level 3 switch) and firewall or do I need a second Linux with three NICs?

    If it can be done with one Linux box and a switch, the I can get the whole
    package (DMZ firewall, VLAN-support, VPN, etc) for some $600. The total
    power consumption would be around 40 watt (Linux+switch). As green as
    it gets πŸ™‚

    Have anyone done anything similar?

    Regards, Bo Svensson

  • audio rodriguez Oct 2, 2010 @ 20:56

    how i do vlan with vconfig in windows ?

  • Thomas Oct 22, 2010 @ 12:17

    With your HowTo:

    Box1:
    # vconfig add eth0 5
    # ifconfig vlan5 10.0.0.1/24

    Box2:
    # vconfig add eth0 5
    # ifconfig vlan5 10.0.0.2/24

    If both boxes are connected to the same network, I’d assume pinging from one to the other shall work:
    Box1:
    # ping 10.0.0.1
    PING 10.0.0.1 (10.0.0.2) 56(84) bytes of data.
    64 bytes from 10.0.0.1: icmp_req=1 ttl=64 time=0.037 ms
    64 bytes from 10.0.0.1: icmp_req=2 ttl=64 time=0.021 ms
    ^C

    # ping 10.0.0.2
    PING 10.0.0.2 (10.0.0.2) 56(84) bytes of data.
    From 10.0.0.2 icmp_seq=1 Destination Host Unreachable
    From 10.0.0.2 icmp_seq=2 Destination Host Unreachable
    From 10.0.0.2 icmp_seq=3 Destination Host Unreachable
    ^C

    Routing is set up OK on both boxes:
    Box1:
    # route
    Kernel-IP-Routentabelle
    Ziel Router Genmask Flags Metric Ref Use Iface
    10.0.0.0 * 255.255.255.0 U 0 0 0 vlan5

    Box2:
    # route
    Kernel-IP-Routentabelle
    Ziel Router Genmask Flags Metric Ref Use Iface
    10.0.0.0 * 255.255.255.0 U 0 0 0 vlan5

    Since there is nothing than a little, unmanageable switch in between these two hosts …

  • venky Feb 24, 2011 @ 6:39

    Regarding Ethernet switch,
    If I have to configure two VLANs with VID = 3700 and 3800, what value do I put in field FID, since it is only 7 bit and cannot contain the above mentioned VIDs

  • Vaerer Jul 1, 2011 @ 9:42

    “My VLAN ID is 5. So I need to copy file /etc/sysconfig/network-scripts/ifcfg-eth0 to /etc/sysconfig/network-scripts/ifcfg-eth0.5”

    What is a VLAN ID? How do you know what your VLAN ID is?

  • grace owiny Jul 13, 2011 @ 7:09

    hey please send me the commands for configuring vlan on cisco switches. i am using packet tracer a software for this.thanx

Leave a Reply

Your email address will not be published. Required fields are marked *

Use HTML <pre>...</pre> for code samples. Your comment will appear only after approval by the site admin.