VLANs on Linux

An introduction to VLANs and VLAN trunking, how Linux interacts with VLANs and how you might use them in networks.
Example

The best way to see how VLANs work is by example. Imagine you work for Widgets, Inc. There are about 20 people from several departments working at your location. Ten people work in engineering, two people are in accounting, five people in sales and three people in marketing. Widgets, Inc. currently has a flat network, one in which all the machines are on the same LAN. All of these machines are connected to a Cisco 2924 switch and reside in the 10.0.0.0/24 private network.

Figure 1. Widgets, Inc.'s Private Network

To improve security, you have convinced management to let you segment the network. You already have a Linux firewall running Debian 3.0 facing the Internet, but now you need to extend it to segment the network. The first snag is you have been given only a minimal budget for the project.

After some consideration, you have decided to separate the inside network into four segments: Management, Sales & Marketing, Accounting and Engineering and a DMZ for your assorted servers. The management VLAN has no workstations associated with it and is used only for the switch's configuration interface.

Figure 2. The Segmented Network

Your existing firewall cannot accommodate three more physical interfaces. You recently read an interesting article about how to use VLANs with Linux, which gives you an idea. With VLANs, the new topology can be implemented with the existing interfaces. In fact, the physical layout of your network doesn't change at all. Using VLANs adds a management network to the mix, bringing the total to five.

Figure 3. The Segmented Network with VLANs

You also have decided to subnet your existing IP addresses for the new segments. Using a subnet mask of 255.255.255.224 gives you plenty of IPs for each segment and leaves you several spare subnets to use later. You already are using DHCP to assign IP addresses, so client reconfiguration is not an issue.

Listing 3. Assigning IP Addresses

Description             VLAN    IP Subnet
Management              1       10.0.0.0/27
DMZ                     2       10.0.0.32/27
Accounting              3       10.0.0.64/27
Engineering             4       10.0.0.96/27
Sales & Marketing       5       10.0.0.128/27
Preparation

Because the network changes here can cause a loss of connectivity, it is important to have everything prepared beforehand. Ensure that your firewall meets the prerequisites above. It also is recommended that you have a serial console connection available before you begin. Obviously, these kinds of changes should be done after business hours.

Preparation is the most important part of a network project. In this case, it is important to have everything planned out well in advance. You should have planned out your firewall policy, server configuration, DNS update and so on. Think about all the functions required for the daily operation of your network, and consider how the changes described here might effect them. For example, reducing the DHCP lease time several days in advance allows the workstations to retrieve their new leases more quickly.

Firewall Configuration

The first step towards the new network configuration is to establish the trunk between the firewall and the switch. On Debian, the vlan package contains the required utilities. Most other distributions also offer a package containing these utilities. Compile and install your kernel as you normally would, and enable 802.1q support (CONFIG_VLAN_8021Q).

The Debian interfaces file, located in /etc/network/interfaces, provides support for creating VLAN interfaces. Each interface is defined as normal, with the addition of a vlan_native_interface line. If your distribution does not support defining VLAN interfaces, you need to have a script define them before network startup. Listing 4 shows a Debian interfaces file, using DHCP to retrieve the IP for the outside interface.

Listing 4. A Debian Interfaces File

auto lo
iface lo inet loopback
auto eth0 eth1 vlan2 vlan3 vlan4 vlan5
iface eth0 inet dhcp

# VLAN 1 - native management VLAN
iface eth1 inet static
        address 10.0.0.1
        netmask 255.255.255.224
        vlan_raw_device eth1

# VLAN 2 - DMZ
iface vlan2 inet static
        address 10.0.0.33
        netmask 255.255.255.224
        vlan_raw_device eth1

# VLAN 3 - Accounting
iface vlan3 inet static
        address 10.0.0.65
        netmask 255.255.255.224
        vlan_raw_device eth1

# VLAN 2 - DMZ
iface vlan2 inet static
        address 10.0.0.33
        netmask 255.255.255.224
        vlan_raw_device eth1

# VLAN 3 - Accounting
iface vlan3 inet static
        address 10.0.0.65
        netmask 255.255.255.224
        vlan_raw_device eth1

# VLAN 4 - Engineering
iface vlan4 inet static
        address 10.0.0.97
        netmask 255.255.255.224
        vlan_raw_device eth1

# VLAN 5 - Sales & Marketing
iface vlan5 inet static
        address 10.0.0.129
        netmask 255.255.255.224
        vlan_raw_device eth1

If you were using a distribution other than Debian, you could put lines similar to the ones in Listing 5 in a startup script that runs before network configuration.

Listing 5. Startup Script for Non-Debian Distributions

vconfig add eth1 2
vconfig add eth1 3
vconfig add eth1 4
vconfig add eth1 5

Once the new interfaces are defined, you can bring them up using ifup <device name>. You also need to ifdown and ifup eth1 to set the correct IP and netmask.

______________________

Comments

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

it is just noteworthy that

Anonymous's picture

it is just noteworthy that it is possible that a misconfiguration or a bug could cause the VLAN barriers to be broken. the des moines self storage should have some space at all times.

HOW MUCH ARE THE VLANS

Anonymous's picture

HOW MUCH ARE THE VLANS USED?
WHERE CAN I FIND STATISTICS ABOUT IT?
ARE VLANS WELL SPREADOUT?

Visibility

Anonymous's picture

Can't we have some way to read an article in single page....

how to setup and configure vlan(what are minimal requirements)

Anonymous's picture

Thanks for sharing about vlan. I have been trying to configure VLANs on my pc(linux),but i am not able to do that.

First thing i want to know is, how to configure the vlan on the pc alone(not on switch).My linux pc works with kernel built-in 802.1q driver and rtl8139 nic card. Does the nic driver(8139too) should also support the vlan ?

second, after configuring(two vlans eth0.2,eth0.3) how to send packets specifically via eth0.2 alone, and the same with receiving side.

Thanks.

how to get VLAN name

sunil's picture

This article is very helpful.
I am already using VLAN configuration for my requirement and below are my querries.

I am creating one VLAN for eth0 as below
vconfig add eth0 x(some vlan id)
i am maintaining LAN and VLAN with same IP.

ifconfig eth0.x netmask broadcast up
ifconfig eth0 netmask 0 broadcast 0 up

Now i have to use LAN name and get the VLAN name.
I have to write an API like, pass LAN name and get correspondiong VLAN.
Please share ur ideas.

Vlans on Catalysts

Anonymous's picture

Hi guys...
I just have a quick question to ask and i d appreciate if u answer me on my mail
Well,me and my class we ve been working on Vlans, on Switches, Catalysts 2900
the thing is when I configure Vlan from Vlan database, and go to the interface I press the commnada MAnagement, cause other wise with Show vlan command it will show that vlan in the table, but when I do show ip int vlan (name) it sais that the protocol down. And our teacher said that with Management command can make that Vlan operational.
The thing is, that when I configure more that 1 vlan in the switches it can be up and operational only 1 vlan, only the one i press the command Management into the interface.
Without that command the vlans don't work...and with that command only 1 can be operational.
Well if u can help me i ll appreciate...

thank u for ur time...

vLANs on Linux

Dardo's picture

Hi all,

I have been trying to configure vLANs on my Linux, but I couldn't. This is what I did:

PC 1
ifconfig eth1 0.0.0.0 up
vconfig add eth1 2
vconfig add eth1 3
ifconfig eth1.2 10.0.0.32 netmask 255.255.255.0 up
ifconfig eth1.3 10.0.0.33 netmask 255.255.255.0 up

Then, I connect this eth1 to another interface on another machine (eth1 on 10.0.0.1).

PC 2

ifconfig eth1 10.0.0.1

What I want to do with this configuration is that every frame sent to eth1.2 is tagged with VID = 2 and eth1.3 with VID = 3.

But with Ethereal running on PC 2. I have not seen anything. Besides I have seen frames sent by eth1.2 and eth1.3 with Ethereal in PC 1, but these frames are not tagged.

Can anyone tell me if I am missing something?

Thanks!

a non subjected comment

DOMIN's picture

I was looking for something useful about vlans,
a few days ago, I was heared something about vlan and I just had to inject this to my local lan network,
article is very useful and so much helpfull (at least for me)
after all I bought my cisco catalyst 2900xl and wanted to configure it with vlans but actually don't know what,

thanks in advance for autor of this article, and maybe I will see something about vlans, so if someone has some info about vlan, plese mail it to me

.dominik

802.1q trunking vs. sub-IPs

Jack's picture

What is the advantage and disadvantage by doing VLAN trunking on a single physical NIC vs. assigning sub-IPs to the NIC? I was wondering if we really gain the security & traffic segmentation features of a real VLAN. If we simulate VLAN trunking by sharing a physical NIC, on what level does the OS actually separate the traffic? Or, they are still mixed and make it as if they were VLANs?

>What is the advantage and

Marco Vega's picture

>What is the advantage and disadvantage by doing VLAN trunking on a >single physical NIC vs. assigning sub-IPs to the NIC?

if you assign several sub-IPs to the NIC connected on a "non 802.11q" switch than all switch's ports are the same and there is only one broadcast domain.

great article

Anonymous's picture

Thanks for this :)

figures in this article

Anonymous's picture

I cannot view the figures in this article,it would be useful to view them.Has anyone got them

This article exactly hit the

Anonymous's picture

This article exactly hit the nail on the head! I was to able create a "layer 3 switch" with an unused PC running Linux and an old 3Com superstack 3300 switch for our test lab. Suprisingly fast, it's clearly faster than what I suspected (although certainly not as fast a real L3 switch)

Thanks a million! It really got me going!

vlan switch connect to linux gateway

Anonymous's picture

dear

I did configure the switch to use vlan's and I did connect that switch to linux gateway machine.

must I configure vlan under the linux machine also OR just on the switch ?

pleas replay i need help

greeting

Re: VLANs on Linux - basic switch vlan aware

Anonymous's picture

this is an item I just ordered for a client:
http://store.elementsource.com/elementsources/bgfoncol16po.html

* 16 x 10/100Mbps Auto-negotiation, Auto-MDI/MDIX TP ports
* Supports QoS function based on IEEE 802.1p/802.1q port priority, VLAN tag priority and TCP/IP header

Re: VLANs on Linux

Anonymous's picture

How to organize domain server by help of Linux Vlan router.
For instance I have VLAN: 2,3,4,5 and I want the traffic from them to be routed in vlan 10 (server's VLAN) but 2,3,4,5 must don't touch. Help!

Re: VLANs on Linux and Trunk

drp666c's picture

Hi,
Since a switch can have trunk ports that sees traffic from all VLANs is it possible to configure the interface in Linux to see traffic from all VLANs .. kinda like a trunk interface?

Thanks

Re: VLANs on Linux and Trunk

BK's picture

Yes It is possible. you will need to enable in the 802.1Q option in the kernel, recompile, and install the vlan package to get the vconfig utility which enables you to add vlan interfaces.

VLANs on linux

anwar's picture

Yes,I enabled in the 802.1Q option in the kernel, recompiled, and installed the vlan package to get the vconfig utility which enables to add vlan interfaces.

I have one question ,
can I get vlan id through snmp commands ?
If yes,what are neccessary to be installed .
And what is the command.

Pls mail me the solution

With Rgds
Anwar

VLANs on Linux

Anonymous's picture

Having no previous knowledge about vlans or switch configuration and being suddenly tasked with setting up multiple vlans on a switch configured from a single ethernet connection on a debian system, I found this article invaluable. Thanks.

Re: VLANs on Linux

Anonymous's picture

If we create VLAN interface
vconfig add eth1 2
and not give it IP address, is it possible to create script which would manage network traffic for VLAN2.
For example, would this command work:
iptables -A FORWARD -i vlan2 -j DROP

Thanks

Did you manage to use the

Anonymous's picture

Did you manage to use the vlan without configuring them. I've encountered a similar problem. In earlier sysconfig, simply creating vlans using 'vconfig add would've configured it as well, inheriting the values from physical interface. It also used to show up using 'ifconfig'

But now vconfig moving into vlan package, this is no more true. Now one has to configure it seperately in order to see it using 'ifconfig', otherwise it'll not show up in 'ifconfig', though 'ifconfig -a' will show it.

Any pointers on this would be a great help.

Outstanding issues with VLANs on Linux

Anonymous's picture

Linux does not support VLANs over anything but physical ethernet cards. No aggregate links or the bridge device, either of which would be a huge win for building fault tolerant routers.

Hardware VLAN tagging / untagging was not supported last time I checked (huge difference on GbE or 10GbE)

iptables hasn't figured out quite how to deal with VLANs (although last I heard there was a module in the works)

Outstanding issues with VLANs on Linux

Anonymous's picture

What about GVRP? Does the linux vlan implementation include support for GVRP?

Re: Outstanding issues with VLANs on Linux

Anonymous's picture

use cisco

Re: VLANs on Linux - Still Cloudy

Anonymous's picture

Still a little cloudy if this is necessary all the time when using all Linux workstations on a network. For instance, you have two switches linked together to share various VLANS (i.e. VLAN 1 and VLAN 2 have ports on both switches) and you have 2 physical LANs with different network addresses. Physical LAN 1 is part of VLAN 1 and physical LAN 2 is part of VLAN 2. Both physical lans are connected to a router (Linux box with 2 Ethernet cards) via the switches. With this setup isn't all this transparent to the the Linux workstations? If you want to talk to the other VLAN or physical network it would go to the router. In this scenario you would not need to do all the configuration mentioned in the article? The reason I ask is that we need to mix and match fiber and copper. The above scenario would enable us share the switches between the physical LANs. We would not be required to use two switches for each LAN (one copper one fiber). Also, it would still maintain separate broadcast domains for the physical LANs. Am I way off base?

Re: VLANs on Linux

Anonymous's picture

I had 3c905C card on my RH9 Linux box. I made 2 VLAN and http traffic stopped. Before this everything worked fine. I tried to change cards and so on. I fixed it only when removed the 3c905 card and installed DFE-538TX card. It seemed 3c905 driver has some bugs. I guess it is a bug of assigning or management MTU.

Red Hat/Fedora VLAN support

Anonymous's picture

The article states that Red Hat/Fedora does not support VLAN setup on
boot. This is incorrect.

VLAN support has been in Red Hat Linux since version 9 and is included
in Fedora.

Documentation on configuring is available in the file sysconfig.txt which
is included in the initscripts RPM (ie less `rpm -ql initscripts|grep sysconfig.txt` )

Re: Red Hat/Fedora VLAN support

Anonymous's picture

Thank you for noticing this. I had looked for RedHat support but hadn't found it until you pointed it out.

For those of you using RedHat or Fedora, I'm including the configuration for the VLAN2 interface in the example. This would be place in the /etc/sysconfig/network-scripts/ifcfg-eth1.2 file.

DEVICE=eth1.2 # eth1 is the interface and .2 is the VLAN id
IPADDR=10.0.0.33
NETMASK=255.255.255.224
VLAN=yes
ONBOOT=yes
BOOTPROTO=none

The RedHat scripts always configure VLAN interfaces using the device and the VLAN ID without padding, which differs from the article. The interface created above would be eth1.2 rather than vlan2.

Paul Frieden

Re: Red Hat/Fedora VLAN support

Anonymous's picture

actually, on fedora/RHEL3/RH9 , add to /etc/sysconfig/network
VLAN=yes

having the ETH driver patched to support 1504 mtu's the normal eth's had to have their mtu capped to 1500... to do that, add to the /etc/sysconfig/network-scripts/ifcfg-ethX MTU=1500 and to the ifcfg-ethX.X MTU=1504

my to cents

Re: Red Hat/Fedora VLAN support

Anonymous's picture

does this also work in fedora core 2?

jason

Article lacks important details

Anonymous's picture

Namely, details of using iptables with the defined vlan interfaces. Can you treat them as physical interfaces with iptables? Does each vlan have an INPUT chain? Etc..

- cameron

Re: Article lacks important details

Anonymous's picture

VLAN interfaces behave exactly as normal physical interfaces do in iptables. You can specify them for rules as incoming (-i) and outgoing (-o) interfaces.

I haven't had any issues with VLAN interfaces behaving differently than normal interfaces do any any of my deployments. I do know that in the past there were some issues with DHCP, but I have never had any problems with it myself.

Paul Frieden

Several things to note.

Anonymous's picture

The linux kernel, at least, can handle VLANs on 10bt interfaces,
though it is likely you would have MTU issues on really ancient NICs.

Very cheap un-managed switches can also pass VLANs, though
you will not necessarily get the benefits of broadcast domain
restriction. For just playing with the technology, however, it is fine.

Some known good drivers include tg3, e100, e1000
At one time, the rtl8139 also worked out of the box but I haven't
tested it lately.

There are patches to various drivers found on this page:
http://www.candelatech.com/~greear/vlan/howto.html

Enjoy,
Ben Greear

Re: VLANs on Linux

Anonymous's picture

Excellent article!

I appreciate the info on how to configure the switch to properly trunk to the Linux box as well as the clear introduction and examples.

I may pull that old 2900 out of the closet and actually play with this.

Re: VLANs on Linux

Anonymous's picture

I'm terribly sorry but this was a crappy article. Understanding how to configure interfaces is done in two seconds. The MTU issues are a big problem that you wrestle with for much longer. Until recently (or does it still apply?) you had to patch your ethernet interface drivers manually in the kernel to adjust the maximum MTU size.

Also you have to adjust your ruleset to accompany the larger packets. Then some drivers are buggy and will crash when you increase MTU above the standard 1500 (not to speak of crappy taiwanese d-link switches that lock up from time to time).

All this is skimmed through with one sentence that it "could be issues". You might say that, yes.

Re: VLANs on Linux

Anonymous's picture

I disagree with your criticism of the article. He did adequately address tne issue of limited/buggy Linux ethernet drivers (though a link to a more indepth resource, perhaps a Wiki page where various kernel hackers list links to their patches, would be nice).

Noting that some cheap ethernet equipment might also choke when connected to a trunk line would be nice, but is also above and beyind the call of this article.

As for how trivial the interfaces are to set up, configure and use --- that's the core of the article. I teach professional sysadmin courses, and compile kernels for breakfast (well, usually I start them before I go to bed, actually).

I've been seeing the VLAN 802.1q patch available for years and was vaguely familiar with VLANs from working alongside Cisco networks on numerous occasions. However, I'd never used the VLAN features, didn't know about the 'vconfig' command, wouldn't have known that the vlan* interfaces needed to be bound to their physical interfaces with it, and generally would have had to hunt around a bit to find that info.

This article introduced the concept well, and gave me enough info that I could fire up an old Cisco 2900 switch I have laying around and play with the functionality with no fuss. (Well, no fussing on the Linux side; I have no idea what state that 2900 is in and how I would fix it up; it's on permanent loan from a friend).

It's one of the best articles I've seen recently. I like the fact that he covers the basics of using Cisco IOS or is it CatOS for the other side of this effort; stressing how the switch must talk to the Linux box in trunk mode, and giving examples of setting up the other ports as well.

Re: VLANs on Linux

Anonymous's picture

I abolutely agree with the reply to the original post. This was not intended to be an in depth article on vlans but introductory one to help a user new to vlans quickly set up to use them. I found it helpful in answering some questions I had since this just came up at work eg. can I trunk a linux box to a Cisco 3550 or do I need to buy another switch.

All in all a great starter article for anyone interested in getting started using vlans. BTW he does throw in some caveats regarding NIC drivers and MTU.

Thanks for the article!

Re: VLANs on Linux

Anonymous's picture

I understand the benefits of VLANS, but I'm not quite sure what the purpose of configuring VLANS at the OS level is. Could you explain the purpose or benefit of configuring VLANS on Linux? Why would you need to do it you already configured VLANS in your switch.

Thanks.

Re: VLANs on Linux

Anonymous's picture

Need some more detail information, etc router, iptable.

Re: VLANs on Linux

Anonymous's picture

We use it for management. The public addresses of our servers only do serving, there is no management (ssh fx) on these addresses. Instead we use a separate LAN for management access. We could put a separate nic in each server, but it is much easier to just add a VLAN on eth0.

Our management VLAN is tagged throughout the network, so for me to get access to it, my workstation needs to support VLAN's too. My eth0 is configured like any other user's, but then I also have an eth0.2 configured, which happens to be our management VLAN.

The switch is configured to allow VLAN 2 only on the switch port where I sit, not on everybody else's. So normal users simply can't have access to VLAN 2. So there is no way they can even connect to an open port 22.

BTW we use Extreme Summit200 switches, and I like their syntax:
create vlan users
config users tag 10
config users ipaddress 192.168.1.1/24
config users add ports 1-24

create vlan management
config management tag 2
config management ipaddress 192.168.0.1/24
config management add ports 18 tagged

Simon

Re: VLANs on Linux

Anonymous's picture

If you want to have a big NFS server directly on two or more subnet (without routing traffic trough the FW)

Re: VLANs on Linux

Anonymous's picture

You'd do it when you want your Linux box on the trunk line to be a router from one VLAN to another, and perhaps even to run a Snort or Prelude IDS or other NIDS (network intrusion detection system) on on one or more of the VLANs.

I personally prefer separated switches or hub when I can --- especially for the DMZ and server room segments. However, VLANs become important at a certain scale (as do manageable, SNMP switches).

Re: VLANs on Linux

Anonymous's picture

To route packets between vlans (applying firewall rules in the process). Using virtual interfaces instead of physcial is (obviously) a lot cheaper, provided that your switch is intelligent enough.

Re: Vlan configuration

Anonymous's picture

I have a Linux box and am planning to configure a VLAN .. Please tell me how to configure a VLAN in that linux box

White Paper
Linux Management with Red Hat Satellite: Measuring Business Impact and ROI

Linux has become a key foundation for supporting today's rapidly growing IT environments. Linux is being used to deploy business applications and databases, trading on its reputation as a low-cost operating environment. For many IT organizations, Linux is a mainstay for deploying Web servers and has evolved from handling basic file, print, and utility workloads to running mission-critical applications and databases, physically, virtually, and in the cloud. As Linux grows in importance in terms of value to the business, managing Linux environments to high standards of service quality — availability, security, and performance — becomes an essential requirement for business success.

Learn More

Sponsored by Red Hat

White Paper
Private PaaS for the Agile Enterprise

If you already use virtualized infrastructure, you are well on your way to leveraging the power of the cloud. Virtualization offers the promise of limitless resources, but how do you manage that scalability when your DevOps team doesn’t scale? In today’s hypercompetitive markets, fast results can make a difference between leading the pack vs. obsolescence. Organizations need more benefits from cloud computing than just raw resources. They need agility, flexibility, convenience, ROI, and control.

Stackato private Platform-as-a-Service technology from ActiveState extends your private cloud infrastructure by creating a private PaaS to provide on-demand availability, flexibility, control, and ultimately, faster time-to-market for your enterprise.

Learn More

Sponsored by ActiveState