VLANs on Linux
Linux has long been able to connect to VLAN trunks with a kernel patch, and the functionality was integrated into the mainstream kernel in 2.4.14. Kernel 2.6 also supports VLAN trunking.
In order to use 802.1q trunking, simply set the CONFIG_VLAN_8021Q option when configuring your kernel. Depending on what Ethernet card you have, you may need to patch the driver to make VLANs work correctly. This process is discussed in greater detail later in the article.
As mentioned earlier, 802.1q works by tagging each frame with a 4-byte VLAN identifier. However, some Ethernet drivers assume the maximum frame size is 1,500 bytes. The addition of the 4-byte tag does not leave as much room for data. Thus, although small packets are sent and received correctly, large packets fail. The solution is either to drop the MTU of the VLAN device or to correct the assumptions of the driver.
Patches are available on the Linux VLAN Web site for a variety of cards (see Resources). Several drivers work correctly out of the box (or tar.gz, as the case may be), including the e100 driver for Intel-based cards.
Configuring VLANs under Linux is a process similar to configuring regular Ethernet interfaces. The main difference is you first must attach each VLAN to a physical device. This is accomplished with the vconfig utility. If the trunk device itself is configured, it is treated as native. For example, these commands define VLANs 2-4 on device eth0:
vconfig add eth0 2 vconfig add eth0 3 vconfig add eth0 4
The vconfig program can set a variety of other options, including device-naming conventions. Hereafter, these are assumed to be at their defaults.
Once the virtual interfaces are defined, they can be used in the same way as other interfaces. The standard utilities, such as ifconfig and route, all accept VLAN interfaces and behave as expected. For example, all VLAN interfaces can be listed with ifconfig -a.
Depending on your distribution, support may be available for automatically configuring VLANs on startup. Debian 3.0 or greater supports this support, but Red Hat and Fedora currently do not. For other distributions, you simply need to write a script that executes vconfig prior to the main network startup scripts.
Because the configuration interfaces for different brands of switches all are different, the focus of this section is the common Cisco 2924. All switch configurations are from this model but should work with little change on other IOS-based switches. A variety of configuration commands are related to trunking, but only the most basic are covered here. The samples also assume the ports all have a default configuration. Specifically, this means all ports are configured as access ports in VLAN 1.
This article focuses on the Linux side of the configuration, so only a basic explanation of the switch commands are given. Listing 1 is a configuration fragment that could be entered into a Cisco Catalyst 2924 switch. See Resources for URLs to complete documentation of these commands.
Listing 1. Configuring a Cisco Catalyst 2924 Switch
interface FastEthernet 0/1 switchport mode trunk switchport trunk encapsulation dot1q switchport trunk native vlan 1 interface FastEthernet 0/2 switchport access vlan 2
The commands here are fairly self explanatory if you are familiar with the VLAN terminology presented earlier. Briefly, the first section converts the first port into a trunk running 802.1q encapsulation with native VLAN 1. The second section simply moves port 2 into VLAN 2.
It is important to see how VLANs are configured and operating on the switch. The first task is to see the status of a particular port. This can be done with show interfaces <interface> switchport command.
Listing 2. show interfaces <interface> switchport
#show interfaces FastEthernet 0/1 switchport Name: Fa0/1 Switchport: Enabled Administrative mode: trunk Operational Mode: trunk Administrative Trunking Encapsulation: dot1q Operational Trunking Encapsulation: dot1q Negotiation of Trunking: Disabled Access Mode VLAN: 0 ((Inactive)) Trunking Native Mode VLAN: 1 (VLAN0001) Trunking VLANs Enabled: ALL Trunking VLANs Active: 1-5 Pruning VLANs Enabled: 6-1001 ...
Probably the most useful command is the show vlan command. It shows you a table indicating which ports are in which VLANs.
Fast/Flexible Linux OS Recovery
On Demand Now
In this live one-hour webinar, learn how to enhance your existing backup strategies for complete disaster recovery preparedness using Storix System Backup Administrator (SBAdmin), a highly flexible full-system recovery solution for UNIX and Linux systems.
Join Linux Journal's Shawn Powers and David Huffman, President/CEO, Storix, Inc.
Free to Linux Journal readers.Register Now!
- Devuan Beta Release
- May 2016 Issue of Linux Journal
- EnterpriseDB's EDB Postgres Advanced Server and EDB Postgres Enterprise Manager
- The US Government and Open-Source Software
- The Humble Hacker?
- The Death of RoboVM
- BitTorrent Inc.'s Sync
- Open-Source Project Secretly Funded by CIA
- New Container Image Standard Promises More Portable Apps
- AdaCore's SPARK Pro
In modern computer systems, privacy and security are mandatory. However, connections from the outside over public networks automatically imply risks. One easily available solution to avoid eavesdroppers’ attempts is SSH. But, its wide adoption during the past 21 years has made it a target for attackers, so hardening your system properly is a must.
Additionally, in highly regulated markets, you must comply with specific operational requirements, proving that you conform to standards and even that you have included new mandatory authentication methods, such as two-factor authentication. In this ebook, I discuss SSH and how to configure and manage it to guarantee that your network is safe, your data is secure and that you comply with relevant regulations.Get the Guide