In this detailed tutorial, we are going to learn what VLAN tagging is, its advantages and use cases, and how to configure VLAN tagging in Linux operating system.
Configuring VLAN tagging in Linux involves creating virtual LANs, assigning VLAN IDs, and configuring IP addresses as needed. We will see how to do that in three different ways in the upcoming sections. But before that, let us understand what is VLAN tagging, its advantages and modes.
Table of Contents
What is VLAN Tagging?
Virtual LAN (VLAN) tagging is a networking technology that allows you to logically divide a physical network into multiple virtual networks, or VLANs.
VLAN tagging adds a special tag to the Ethernet frames at the data link layer (Layer 2) to identify which VLAN a particular frame belongs to. This tagging enables you to segregate network traffic and improve network security, efficiency, and manageability.
To put this in layman terms, Imagine you have a big house with many rooms, and you want to divide the house into different sections for different purposes.
For example, you might have a living room for everyone to hang out in, a kitchen for cooking, a bedroom for sleeping, and a bathroom for taking baths.
In a similar way, VLAN tagging is like dividing a large computer network into smaller, more manageable sections. It's like creating virtual rooms within your house.
Each VLAN is like a separate room, and devices within the same VLAN can communicate with each other easily, but devices in different VLANs cannot communicate directly.
VLAN tagging is a powerful networking technology that can help to improve network security, performance, and flexibility. It is a widely used technology in a variety of networks, from small businesses to large enterprises.
VLAN Tagging Advantages
Why would you want to do this? There are several reasons:
- Network Segmentation: VLANs are used to logically segment a physical network into smaller, isolated networks. For example, you can separate the HR department's traffic from the Sales department's traffic to enhance security and manageability.
- Broadcast Control: By dividing a network into VLANs, broadcast traffic is contained within each VLAN, reducing the overall broadcast domain size and network congestion.
- Quality of Service (QoS): VLANs can be used to prioritize certain types of traffic (e.g., voice or video) by assigning different QoS policies to each VLAN.
- Guest Networks: In a corporate environment, you can create a separate VLAN for guest devices to isolate them from the internal network.
- Isolation: VLANs can be used to isolate specific devices or services, such as IP cameras, IoT devices, or network servers.
Where Do We Configure VLAN Tagging?
Here are some examples of how VLANs are used in real-world networks:
- In a school or a college, VLANs might be used to separate the network for students, teachers, and administrators. This could help to protect student data and prevent unauthorized access to administrative systems.
- In a hospital, VLANs might be used to separate the network for patient records, medical devices, and administrative staff. This could help to protect patient privacy and ensure that critical medical devices are not affected by network traffic.
- In a corporate office, VLANs might be used to separate the network for different departments, such as sales, marketing, and finance. This could help to improve network security and prevent unauthorized access to sensitive data.
VLAN Tagging Vs. Assigning Multiple IP Addresses to a Single NIC
VLAN tagging is not exactly the same as assigning multiple IP addresses to a single network interface.
VLAN tagging is a way of dividing a single network into multiple virtual networks, each with its own broadcast domain. This is done by adding a VLAN tag to each Ethernet frame, which identifies the VLAN to which the frame belongs. VLAN tagging is a Layer 2 technology, which means that it operates at the same level as the Ethernet protocol.
Assigning multiple IP addresses to a single network interface, on the other hand, is a Layer 3 technology. This is done by configuring the network interface with multiple IP addresses, each of which belongs to a different subnet. This allows the interface to communicate with devices on multiple networks.
The two technologies are often used together to create a secure and flexible network environment. For example, a company might use VLANs to divide its network into different departments, and then assign multiple IP addresses to each network interface to allow devices to communicate with multiple departments.
Here is a table that summarizes the key differences between VLAN tagging and assigning multiple IP addresses to a single network interface:
Feature | VLAN Tagging | Assigning Multiple IP Addresses |
---|---|---|
Layer | 2 | 3 |
Purpose | Divide a single network into multiple virtual networks | Allow a device to communicate with multiple networks |
Implementation | Add a VLAN tag to each Ethernet frame | Configure the network interface with multiple IP addresses |
In summary, while both VLAN tagging and multiple IP assignments enhance network capabilities, they do so in different ways and for different purposes.
VLAN tagging is more about internal network organization and security, while assigning multiple IPs to a single interface is about how a device interfaces with and is accessible on a network.
Hope you got the basic understanding about VLAN tagging, its use cases and advantages.
VLAN Tagging Methods
- 802.1Q VLAN Tagging: This is the most common method of VLAN tagging. It adds a 4-byte tag to Ethernet frames, indicating the VLAN ID. Most managed switches and network devices support this standard.
- ISL (Inter-Switch Link) Tagging: An older tagging method primarily used by Cisco switches. It encapsulates Ethernet frames with an ISL header.
1. Configure VLAN Tagging with Netplan
Netplan is a YAML-based network configuration utility used in many Linux distributions, including Ubuntu. Netplan is used to configure IP addresses for network interfaces, including VLAN tagging. To configure VLAN tagging with Netplan, follow these steps:
Step 1 - Check if VLAN Module is loaded
To check if the VLAN module (8021q
) is loaded on a Linux system, you can use the lsmod
command, which lists loaded kernel modules. Open a terminal and run the following command:
$ lsmod | grep 8021q
If the VLAN module is loaded, you will see output that includes "8021q." If you don't see any output, it means the module is not loaded.
If you find that the VLAN module is not loaded, you can load it manually using the modprobe
command:
$ sudo modprobe 8021q
After running this command, the module should be loaded, and you can check its status again using lsmod | grep 8021q
. If it's loaded, you'll see the module listed in the output.
To ensure that the VLAN module (8021q
) is loaded automatically at boot time on a Linux system, you can add it to the list of kernel modules that should be loaded during the boot process.
For example, to add it to /etc/modules
, run:
$ echo '8021q' | sudo tee -a /etc/modules
This will add "8021q
" to the list of modules that are automatically loaded during system startup.
After completing these steps, the VLAN module should be loaded and available for configuring VLANs on your Linux system. You can proceed with creating VLAN sub-interfaces and configuring VLAN tagging as needed.
Step 2 - Edit the Netplan Configuration File
Netplan configuration files are typically located in the /etc/netplan/
directory and end with a .yaml
extension.
You may already have a configuration file there. If not, you can create one. Use a text editor, such as nano
or vim
, to edit the configuration file:
$ sudo nano /etc/netplan/01-netcfg.yaml
Replace 01-netcfg.yaml
with your own configuration file.
Step 3 - Define VLAN Configuration
In the Netplan configuration file, define the VLAN interface by specifying its name, parent interface (the physical interface that the VLAN will be associated with), and the VLAN ID.
Here's an example YAML configuration:
network: version: 2 renderer: networkd ethernets: ens18: dhcp4: no addresses: - 192.168.1.40/24 routes: - to: default via: 192.168.1.101 nameservers: addresses: [8.8.8.8, 8.8.4.4] vlans: vlan10: id: 10 link: ens18 addresses: [192.168.10.2/24]
In the above configuration file, replace the network settings that matches to your own configuration.
ens18
: Replace with the name of your physical network interface.vlan10
: Replace with a name for your VLAN.id: 10
: Replace with your desired VLAN ID.link: ens18
: Specify the physical interface to associate the VLAN with.addresses
: Set the IP address and subnet mask for the VLAN.
You can also define multiple VLANs as shown in the following configuration. Just make sure you have used an unique name and IP address for each VLAN.
Important:
Proper line indentation in Netplan YAML configuration files is crucial for readability and correctness. YAML uses spaces to represent data structure, so consistent and clear indentation is essential.
- Use spaces (not tabs) for indentation.
- Maintain consistent spacing throughout your configuration.
- Leave a space after colons to separate keys from values or blocks.
- Proper indentation enhances readability, minimizes errors, and makes network configuration files easier to manage.
Step 4 - Apply the Configuration
Save the changes to the Netplan configuration file and exit the text editor. Then, apply the configuration using the netplan
command:
$ sudo netplan apply
This command will apply the new network configuration, including the VLAN setup.
Step 5 - Verify the Configuration
You can verify that the VLAN interface has been created and is functioning correctly using the ip
command:
$ ip addr show vlan10 $ ip link show vlan10
Replace 'vlan10
' with your VLAN interface name. These commands should display information about the VLAN interface and its IP configuration.
That's it! You have configured VLAN tagging using Netplan. Make sure to adapt the configuration to your specific network setup, including the VLAN ID, IP address, and physical interface name as needed.
Step 6 - Delete VLAN
To delete a VLAN interface, simply remove the corresponding section for the vlan in the Netplan configuration file.
It's a good practice to make a backup of the Netplan configuration file before making changes. This way, if anything goes wrong, you can easily revert to the original configuration.
$ sudo cp /etc/netplan/01-netcfg.yaml /etc/netplan/01-netcfg.yaml.backup
Now, open the Netplan configuration file with a text editor:
$ sudo nano /etc/netplan/01-netcfg.yaml
Locate the section for the VLAN you want to delete. It will be a subsection under vlans:
and will look something like this:
vlans: vlan10: id: 10 link: eth0 addresses: [192.168.10.2/24]
Remove the entire section for the VLAN. Save and close the file.
Apply the changes by running:
$ sudo netplan apply
Ensure that the VLAN has been successfully removed by checking your network interfaces:
$ ip a
The VLAN interface (e.g., vlan10) should no longer be listed.
2. Configure VLAN Tagging using nmcli Command
To configure VLAN tagging with nmcli
(NetworkManager Command-Line Interface) on a Linux system, follow these steps:
Step 1 - Check if VLAN Module is loaded
To verify if the VLAN module (8021q
) is loaded in Linux, you can use the lsmod
command, which lists loaded kernel modules. Here's how to check if the VLAN module is loaded:
Open a terminal and run the following command:
$ lsmod | grep 8021q
If the VLAN module is loaded, you will see output that includes "8021q." If you don't see any output, it means the module is not loaded.
If you find that the VLAN module is not loaded, you can load it manually using the modprobe
command:
$ sudo modprobe 8021q
After running this command, you can check its status again using lsmod | grep 8021q
. If it's loaded, you'll see the module listed in the output.
To make the VLAN module (8021q
) load persistently during system boot on a Linux system, you can follow these steps:
Determine which configuration file is used to specify modules for automatic loading during system boot. The location of this file can vary based on your Linux distribution.
For Red Hat/CentOS:
The file is typically /etc/modules-load.d/modules.conf
.
For Ubuntu/Debian:
Create a custom .conf
file in the /etc/modules-load.d/
directory.
Open the configuration file using a text editor with administrative privileges (e.g., sudo nano
or sudo vi
).
In the configuration file, add a line to specify the VLAN module (8021q
) that you want to load at boot. For example:
8021q
Save the file after adding this entry.
Apply the Configuration:
After editing the configuration file, you may need to apply the changes. On some systems, this is done automatically during boot. However, you can manually apply the changes using the systemctl
command:
For Red Hat/CentOS:
$ sudo systemctl restart systemd-modules-load
For Ubuntu/Debian:
$ sudo systemctl restart systemd-modules-load.service
Verify the Module Loading:
To ensure that the VLAN module is loaded at boot, you can check its status using the lsmod
command or verify the system logs for any related messages.
$ lsmod | grep 8021q
If the module is listed in the output, it means it was loaded successfully during the boot process.
By following these steps and configuring the VLAN module to load persistently, you ensure that the module is automatically loaded each time the system boots up, and you won't need to load it manually.
Step 2 - Check NetworkManager Service
Ensure that NetworkManager is installed and running on your system. You can check the status of NetworkManager using the following command:
$ systemctl status NetworkManager
If it's not installed or running, you can install and start it using your distribution's package manager (e.g., apt
on Debian/Ubuntu or yum
on CentOS/RHEL).
Step 3 - Identify the Parent Interface
Identify the physical network interface that you will use as the base for your VLAN. You can list all available network interfaces using the following command:
$ nmcli device status
Sample Output:
DEVICE TYPE STATE CONNECTION ens18 ethernet connected Wired connection 1 lo loopback unmanaged --
Look for the interface that you want to use, such as ens18
.
Step 4 - Create VLAN Connection
Next, you create a VLAN interface. For this example, let's assume you want to create a VLAN with ID 10 on eth0
.
$ sudo nmcli con add type vlan con-name vlan10 ifname vlan10 dev ens18 id 10
con-name vlan10
is the name you give to this connection.ifname vlan10
is the name of the VLAN interface.dev ens18
specifies the parent interface.id 10
is the VLAN ID.
Step 5 - Assign IP Configuration to the VLAN Interface
Now, assign an IP address, gateway, and DNS to the VLAN interface.
For example:
$ sudo nmcli connection modify vlan10 ipv4.addresses 192.168.10.2/24 $ sudo nmcli connection modify vlan10 ipv4.gateway 192.168.10.1 $ sudo nmcli connection modify vlan10 ipv4.dns 8.8.8.8 $ sudo nmcli connection modify vlan10 ipv4.method manual
In the above commands, replace the network settings with your own.
- Replace
192.168.10.2/24
with your desired IP address and subnet. - Replace
192.168.10.1
with your gateway IP. 8.8.8.8
is an example DNS server (Google's public DNS).
Step 6 - Activate the Connection
Activate the VLAN connection using the following command:
$ sudo nmcli connection up vlan10
Replace VLAN10
with the name of your VLAN connection.
Step 7 - Verify Configuration
You can use nmcli
to verify the configuration:
$ nmcli connection show vlan10
This command will display details about the VLAN connection, including its status and configured properties.
Step 8 - Modifying/Deleting VLAN
You can modify settings using nmcli con modify
command. To delete the VLAN. for example vlan10, the command would be:
$ sudo nmcli con delete vlan10
That's it! You have configured VLAN tagging using nmcli
on your Linux system. Be sure to adapt the configuration to your specific network setup and requirements, including IP addresses, gateway, and DNS settings.
3. Configure VLAN Tagging using ip Command in Linux
Step 1 - Check if VLAN Module is loaded
To ensure that the VLAN module (802.1Q) is loaded on your Linux system, you can follow these steps:
To check whether the VLAN module is already loaded, you can use the lsmod
command, which lists loaded kernel modules. Open a terminal and run:
$ lsmod | grep 8021q
Sample Output:
8021q 45056 0 garp 20480 1 8021q mrp 20480 1 8021q
If you see output that includes "8021q," it means the VLAN module is already loaded.
If the lsmod
command doesn't show the 802.1Q module, you can load it manually using the modprobe
command. Open a terminal and run:
$ sudo modprobe 8021q
This command will load the VLAN module into the kernel. If you don't see any error messages, the module should be successfully loaded.
To ensure that the VLAN module is loaded automatically at boot time, you can add it to the /etc/modules
file or create a configuration file in the /etc/modules-load.d/
directory. For example, to add it to /etc/modules
, run:
$ echo '8021q' | sudo tee -a /etc/modules
This will add "8021q
" to the list of modules that are automatically loaded during system startup.
Step 2 - Check Network Interface Names
Before configuring VLAN tagging, you should find the names of the network interfaces.
You can use the ip link show
or ifconfig
commands to list the available network interfaces. Typically, these interfaces have names like enp0sX
or, ensX
or, ethX
.
$ ip link show
Sample Output:
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 2: ens18: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP mode DEFAULT group default qlen 1000 link/ether 6e:26:0b:8e:33:8c brd ff:ff:ff:ff:ff:ff altname enp0s18
As you see in the output above, there is one network interfaces named ens18
.
Step 3 - Creating VLAN Sub-interfaces
Use the ip
command to create VLAN sub-interfaces for your physical network interface. Replace with the name of your physical interface (e.g., ens18
) and with the desired VLAN ID.
$ sudo ip link add link ens18 name vlan10 type vlan id 10
$ sudo ip link add link ens18 name vlan20 type vlan id 20
Step 4 - Configure IP Addresses
Assign IP addresses to the VLAN sub-interfaces.
$ sudo ip addr add 192.168.10.2/24 dev vlan10
$ sudo ip addr add 192.168.20.2/24 dev vlan20
Step 5 - Enable VLAN Interfaces
$ sudo ip link set dev vlan10 up
$ sudo ip link set dev vlan20 up
Similarly, you can configure as many as VLANs you require for your setup.
Step 6 - Verify VLAN IP Addresses
Use the ip
command to verify if the IP addresses for the VLANs are configured correctly.
$ ip a 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: ens18: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000 link/ether 6e:26:0b:8e:33:8c brd ff:ff:ff:ff:ff:ff altname enp0s18 inet 192.168.1.40/24 brd 192.168.1.255 scope global noprefixroute ens18 valid_lft forever preferred_lft forever inet6 fe80::bfcf:b9d3:60de:af1b/64 scope link noprefixroute valid_lft forever preferred_lft forever 3: vlan10@ens18: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000 link/ether 6e:26:0b:8e:33:8c brd ff:ff:ff:ff:ff:ff inet 192.168.10.2/24 scope global ens18.10 valid_lft forever preferred_lft forever inet6 fe80::6c26:bff:fe8e:338c/64 scope link valid_lft forever preferred_lft forever 4: vlan20@ens18: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000 link/ether 6e:26:0b:8e:33:8c brd ff:ff:ff:ff:ff:ff inet 192.168.20.2/24 scope global ens18.20 valid_lft forever preferred_lft forever inet6 fe80::6c26:bff:fe8e:338c/64 scope link valid_lft forever preferred_lft forever
As you see in the above output, I have created two VLANs namely vlan10
and vlan20
with IP addresses 192.168.10.2/24
and 192.168.20.2/24
respectively.
You can also use ip addr show
command to only view a specific VLAN's IP address. For instance, to show the IP address of vlan10
, run:
$ ip addr show vlan10 3: vlan10@ens18: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000 link/ether 6e:26:0b:8e:33:8c brd ff:ff:ff:ff:ff:ff inet 192.168.10.2/24 brd 192.168.10.255 scope global noprefixroute ens18.10 valid_lft forever preferred_lft forever inet6 fe80::6c26:bff:fe8e:338c/64 scope link valid_lft forever preferred_lft forever
Frequently Asked Questions
Here's a FAQ (Frequently Asked Questions) about VLAN tagging:
A: VLAN tagging is a networking technology that allows you to logically divide a physical network into multiple virtual networks, or VLANs. It adds special tags to Ethernet frames to identify which VLAN a particular frame belongs to.
A: VLAN tagging serves several purposes, including network segmentation, traffic isolation, broadcast control, quality of service (QoS) prioritization, and improved network security.
A: VLAN tagging adds a 4-byte tag to Ethernet frames at the data link layer (Layer 2) to indicate the VLAN ID. Network devices use this tag to determine which VLAN the frame belongs to.
A: Yes, you can assign IP addresses from different classes within the same VLAN. VLANs are not dependent on IP address classes, and you can use any IP address range with an appropriate subnet mask.
A: No, devices in different VLANs do not communicate with each other by default. VLANs are isolated from each other, and communication requires a router or Layer 3 device to route traffic between them.
A: To configure VLAN tagging in Linux, you can use tools like ip
command or configuration files like Netplan. You'll create VLAN sub-interfaces on a physical interface, assign VLAN IDs, and configure IP addresses as needed.
A: Yes, most managed switches support VLAN tagging. You can configure VLANs, assign ports to VLANs, and set up VLAN trunking on managed switches to facilitate VLAN communication.
A: VLAN tagging creates separate virtual networks with distinct VLAN IDs, while multiple IP addresses on a single interface involve assigning multiple IP addresses within the same network or subnet. VLAN tagging offers better traffic isolation and security.
A: You can check if the VLAN module is loaded using the lsmod | grep 8021q
command. If you see "8021q" in the output, the module is loaded; otherwise, you may need to load it manually.
A: To ensure automatic loading of the VLAN module at boot, add it to the appropriate configuration file for your Linux distribution. For example, in Ubuntu, you can add it to /etc/modules-load.d/
.
Conclusion
In this comprehensive guide, we discussed three ways to configure VLAN tagging in Linux operating systems.
In Linux networking, VLAN tagging is an useful technique that allows you to create isolated virtual networks within a single physical network. This segregation improves security, simplifies network management, and enhances overall network efficiency.
Whether you're managing a home network or a complex enterprise environment, understanding and implementing VLAN tagging in Linux lets you to customize your network to fit your specific needs, enhancing both functionality and security.