Home Linux Networking How To Configure VLAN Tagging In Linux [A Step-by-Step Guide]

How To Configure VLAN Tagging In Linux [A Step-by-Step Guide]

Configure VLANs in Linux Like a Pro: A Beginner-Friendly Tutorial.

By sk
24.3K views

In this detailed tutorial, we are going to learn what VLAN tagging is, its advantages and use cases, and how to configure VLAN tagging in Linux operating system.

Configuring VLAN tagging in Linux involves creating virtual LANs, assigning VLAN IDs, and configuring IP addresses as needed. We will see how to do that in three different ways in the upcoming sections. But before that, let us understand what is VLAN tagging, its advantages and modes.

What is VLAN Tagging?

Virtual LAN (VLAN) tagging is a networking technology that allows you to logically divide a physical network into multiple virtual networks, or VLANs.

VLAN tagging adds a special tag to the Ethernet frames at the data link layer (Layer 2) to identify which VLAN a particular frame belongs to. This tagging enables you to segregate network traffic and improve network security, efficiency, and manageability.

To put this in layman terms, Imagine you have a big house with many rooms, and you want to divide the house into different sections for different purposes.

For example, you might have a living room for everyone to hang out in, a kitchen for cooking, a bedroom for sleeping, and a bathroom for taking baths.

In a similar way, VLAN tagging is like dividing a large computer network into smaller, more manageable sections. It's like creating virtual rooms within your house.

Each VLAN is like a separate room, and devices within the same VLAN can communicate with each other easily, but devices in different VLANs cannot communicate directly.

VLAN tagging is a powerful networking technology that can help to improve network security, performance, and flexibility. It is a widely used technology in a variety of networks, from small businesses to large enterprises.

VLAN Tagging Advantages

Why would you want to do this? There are several reasons:

  • Network Segmentation: VLANs are used to logically segment a physical network into smaller, isolated networks. For example, you can separate the HR department's traffic from the Sales department's traffic to enhance security and manageability.
  • Broadcast Control: By dividing a network into VLANs, broadcast traffic is contained within each VLAN, reducing the overall broadcast domain size and network congestion.
  • Quality of Service (QoS): VLANs can be used to prioritize certain types of traffic (e.g., voice or video) by assigning different QoS policies to each VLAN.
  • Guest Networks: In a corporate environment, you can create a separate VLAN for guest devices to isolate them from the internal network.
  • Isolation: VLANs can be used to isolate specific devices or services, such as IP cameras, IoT devices, or network servers.

Where Do We Configure VLAN Tagging?

Here are some examples of how VLANs are used in real-world networks:

  • In a school or a college, VLANs might be used to separate the network for students, teachers, and administrators. This could help to protect student data and prevent unauthorized access to administrative systems.
  • In a hospital, VLANs might be used to separate the network for patient records, medical devices, and administrative staff. This could help to protect patient privacy and ensure that critical medical devices are not affected by network traffic.
  • In a corporate office, VLANs might be used to separate the network for different departments, such as sales, marketing, and finance. This could help to improve network security and prevent unauthorized access to sensitive data.

VLAN Tagging Vs. Assigning Multiple IP Addresses to a Single NIC

VLAN tagging is not exactly the same as assigning multiple IP addresses to a single network interface.

VLAN tagging is a way of dividing a single network into multiple virtual networks, each with its own broadcast domain. This is done by adding a VLAN tag to each Ethernet frame, which identifies the VLAN to which the frame belongs. VLAN tagging is a Layer 2 technology, which means that it operates at the same level as the Ethernet protocol.

Assigning multiple IP addresses to a single network interface, on the other hand, is a Layer 3 technology. This is done by configuring the network interface with multiple IP addresses, each of which belongs to a different subnet. This allows the interface to communicate with devices on multiple networks.

The two technologies are often used together to create a secure and flexible network environment. For example, a company might use VLANs to divide its network into different departments, and then assign multiple IP addresses to each network interface to allow devices to communicate with multiple departments.

Here is a table that summarizes the key differences between VLAN tagging and assigning multiple IP addresses to a single network interface:

FeatureVLAN TaggingAssigning Multiple IP Addresses
Layer23
PurposeDivide a single network into multiple virtual networksAllow a device to communicate with multiple networks
ImplementationAdd a VLAN tag to each Ethernet frameConfigure the network interface with multiple IP addresses

In summary, while both VLAN tagging and multiple IP assignments enhance network capabilities, they do so in different ways and for different purposes.

VLAN tagging is more about internal network organization and security, while assigning multiple IPs to a single interface is about how a device interfaces with and is accessible on a network.

Hope you got the basic understanding about VLAN tagging, its use cases and advantages.

VLAN Tagging Methods

  • 802.1Q VLAN Tagging: This is the most common method of VLAN tagging. It adds a 4-byte tag to Ethernet frames, indicating the VLAN ID. Most managed switches and network devices support this standard.
  • ISL (Inter-Switch Link) Tagging: An older tagging method primarily used by Cisco switches. It encapsulates Ethernet frames with an ISL header.

1. Configure VLAN Tagging with Netplan

Netplan is a YAML-based network configuration utility used in many Linux distributions, including Ubuntu. Netplan is used to configure IP addresses for network interfaces, including VLAN tagging. To configure VLAN tagging with Netplan, follow these steps:

Step 1 - Check if VLAN Module is loaded

To check if the VLAN module (8021q) is loaded on a Linux system, you can use the lsmod command, which lists loaded kernel modules. Open a terminal and run the following command:

$ lsmod | grep 8021q

If the VLAN module is loaded, you will see output that includes "8021q." If you don't see any output, it means the module is not loaded.

If you find that the VLAN module is not loaded, you can load it manually using the modprobe command:

$ sudo modprobe 8021q

After running this command, the module should be loaded, and you can check its status again using lsmod | grep 8021q. If it's loaded, you'll see the module listed in the output.

To ensure that the VLAN module (8021q) is loaded automatically at boot time on a Linux system, you can add it to the list of kernel modules that should be loaded during the boot process.

For example, to add it to /etc/modules, run:

$ echo '8021q' | sudo tee -a /etc/modules

This will add "8021q" to the list of modules that are automatically loaded during system startup.

Load VLAN module (802.1Q) in Linux
Load VLAN module (802.1Q) in Linux

After completing these steps, the VLAN module should be loaded and available for configuring VLANs on your Linux system. You can proceed with creating VLAN sub-interfaces and configuring VLAN tagging as needed.

Step 2 - Edit the Netplan Configuration File

Netplan configuration files are typically located in the /etc/netplan/ directory and end with a .yaml extension.

You may already have a configuration file there. If not, you can create one. Use a text editor, such as nano or vim, to edit the configuration file:

$ sudo nano /etc/netplan/01-netcfg.yaml

Replace 01-netcfg.yaml with your own configuration file.

Step 3 - Define VLAN Configuration

In the Netplan configuration file, define the VLAN interface by specifying its name, parent interface (the physical interface that the VLAN will be associated with), and the VLAN ID.

Here's an example YAML configuration:

network:
  version: 2
  renderer: networkd
  ethernets:
    ens18:
      dhcp4: no
      addresses:
        - 192.168.1.40/24
      routes:
        - to: default
          via: 192.168.1.101
      nameservers:
          addresses: [8.8.8.8, 8.8.4.4]

  vlans:
    vlan10:
      id: 10
      link: ens18
      addresses: [192.168.10.2/24]

In the above configuration file, replace the network settings that matches to your own configuration.

  • ens18: Replace with the name of your physical network interface.
  • vlan10: Replace with a name for your VLAN.
  • id: 10: Replace with your desired VLAN ID.
  • link: ens18: Specify the physical interface to associate the VLAN with.
  • addresses: Set the IP address and subnet mask for the VLAN.

You can also define multiple VLANs as shown in the following configuration. Just make sure you have used an unique name and IP address for each VLAN.

Configure VLAN Tagging using Netplan in Linux
Configure VLAN Tagging using Netplan in Linux

Important:

Proper line indentation in Netplan YAML configuration files is crucial for readability and correctness. YAML uses spaces to represent data structure, so consistent and clear indentation is essential.

  • Use spaces (not tabs) for indentation.
  • Maintain consistent spacing throughout your configuration.
  • Leave a space after colons to separate keys from values or blocks.
  • Proper indentation enhances readability, minimizes errors, and makes network configuration files easier to manage.

Step 4 - Apply the Configuration

Save the changes to the Netplan configuration file and exit the text editor. Then, apply the configuration using the netplan command:

$ sudo netplan apply

This command will apply the new network configuration, including the VLAN setup.

Step 5 - Verify the Configuration

You can verify that the VLAN interface has been created and is functioning correctly using the ip command:

$ ip addr show vlan10
$ ip link show vlan10

Replace 'vlan10' with your VLAN interface name. These commands should display information about the VLAN interface and its IP configuration.

Verify VLAN Configuration using ip Command
Verify VLAN Configuration using ip Command

That's it! You have configured VLAN tagging using Netplan. Make sure to adapt the configuration to your specific network setup, including the VLAN ID, IP address, and physical interface name as needed.

Step 6 - Delete VLAN

To delete a VLAN interface, simply remove the corresponding section for the vlan in the Netplan configuration file.

It's a good practice to make a backup of the Netplan configuration file before making changes. This way, if anything goes wrong, you can easily revert to the original configuration.

$ sudo cp /etc/netplan/01-netcfg.yaml /etc/netplan/01-netcfg.yaml.backup

Now, open the Netplan configuration file with a text editor:

$ sudo nano /etc/netplan/01-netcfg.yaml

Locate the section for the VLAN you want to delete. It will be a subsection under vlans: and will look something like this:

vlans:
  vlan10:
    id: 10
    link: eth0
    addresses: [192.168.10.2/24]

Remove the entire section for the VLAN. Save and close the file.

Apply the changes by running:

$ sudo netplan apply

Ensure that the VLAN has been successfully removed by checking your network interfaces:

$ ip a

The VLAN interface (e.g., vlan10) should no longer be listed.

2. Configure VLAN Tagging using nmcli Command

To configure VLAN tagging with nmcli (NetworkManager Command-Line Interface) on a Linux system, follow these steps:

Step 1 - Check if VLAN Module is loaded

To verify if the VLAN module (8021q) is loaded in Linux, you can use the lsmod command, which lists loaded kernel modules. Here's how to check if the VLAN module is loaded:

Open a terminal and run the following command:

$ lsmod | grep 8021q

If the VLAN module is loaded, you will see output that includes "8021q." If you don't see any output, it means the module is not loaded.

If you find that the VLAN module is not loaded, you can load it manually using the modprobe command:

$ sudo modprobe 8021q

After running this command, you can check its status again using lsmod | grep 8021q. If it's loaded, you'll see the module listed in the output.

To make the VLAN module (8021q) load persistently during system boot on a Linux system, you can follow these steps:

Determine which configuration file is used to specify modules for automatic loading during system boot. The location of this file can vary based on your Linux distribution.

For Red Hat/CentOS:

The file is typically /etc/modules-load.d/modules.conf.

For Ubuntu/Debian:

Create a custom .conf file in the /etc/modules-load.d/ directory.

Open the configuration file using a text editor with administrative privileges (e.g., sudo nano or sudo vi).

In the configuration file, add a line to specify the VLAN module (8021q) that you want to load at boot. For example:

8021q

Save the file after adding this entry.

Apply the Configuration:

After editing the configuration file, you may need to apply the changes. On some systems, this is done automatically during boot. However, you can manually apply the changes using the systemctl command:

For Red Hat/CentOS:

$ sudo systemctl restart systemd-modules-load

For Ubuntu/Debian:

$ sudo systemctl restart systemd-modules-load.service

Verify the Module Loading:

To ensure that the VLAN module is loaded at boot, you can check its status using the lsmod command or verify the system logs for any related messages.

$ lsmod | grep 8021q

If the module is listed in the output, it means it was loaded successfully during the boot process.

By following these steps and configuring the VLAN module to load persistently, you ensure that the module is automatically loaded each time the system boots up, and you won't need to load it manually.

Step 2 - Check NetworkManager Service

Ensure that NetworkManager is installed and running on your system. You can check the status of NetworkManager using the following command:

$ systemctl status NetworkManager

If it's not installed or running, you can install and start it using your distribution's package manager (e.g., apt on Debian/Ubuntu or yum on CentOS/RHEL).

Step 3 - Identify the Parent Interface

Identify the physical network interface that you will use as the base for your VLAN. You can list all available network interfaces using the following command:

$ nmcli device status

Sample Output:

DEVICE  TYPE      STATE      CONNECTION         
ens18   ethernet  connected  Wired connection 1 
lo      loopback  unmanaged  --                 

Look for the interface that you want to use, such as ens18.

Step 4 - Create VLAN Connection

Next, you create a VLAN interface. For this example, let's assume you want to create a VLAN with ID 10 on eth0.

$ sudo nmcli con add type vlan con-name vlan10 ifname vlan10 dev ens18 id 10
  • con-name vlan10 is the name you give to this connection.
  • ifname vlan10 is the name of the VLAN interface.
  • dev ens18 specifies the parent interface.
  • id 10 is the VLAN ID.

Step 5 - Assign IP Configuration to the VLAN Interface

Now, assign an IP address, gateway, and DNS to the VLAN interface.

For example:

$ sudo nmcli connection modify vlan10 ipv4.addresses 192.168.10.2/24
$ sudo nmcli connection modify vlan10 ipv4.gateway 192.168.10.1
$ sudo nmcli connection modify vlan10 ipv4.dns 8.8.8.8
$ sudo nmcli connection modify vlan10 ipv4.method manual

In the above commands, replace the network settings with your own.

  • Replace 192.168.10.2/24 with your desired IP address and subnet.
  • Replace 192.168.10.1 with your gateway IP.
  • 8.8.8.8 is an example DNS server (Google's public DNS).

Step 6 - Activate the Connection

Activate the VLAN connection using the following command:

$ sudo nmcli connection up vlan10

Replace VLAN10 with the name of your VLAN connection.

Step 7 - Verify Configuration

You can use nmcli to verify the configuration:

$ nmcli connection show vlan10

This command will display details about the VLAN connection, including its status and configured properties.

Configure VLAN Tagging using nmcli Command
Configure VLAN Tagging using nmcli Command

Step 8 - Modifying/Deleting VLAN

You can modify settings using nmcli con modify command. To delete the VLAN. for example vlan10, the command would be:

$ sudo nmcli con delete vlan10

That's it! You have configured VLAN tagging using nmcli on your Linux system. Be sure to adapt the configuration to your specific network setup and requirements, including IP addresses, gateway, and DNS settings.

3. Configure VLAN Tagging using ip Command in Linux

Step 1 - Check if VLAN Module is loaded

To ensure that the VLAN module (802.1Q) is loaded on your Linux system, you can follow these steps:

To check whether the VLAN module is already loaded, you can use the lsmod command, which lists loaded kernel modules. Open a terminal and run:

$ lsmod | grep 8021q

Sample Output:

8021q                  45056  0
garp                   20480  1 8021q
mrp                    20480  1 8021q

If you see output that includes "8021q," it means the VLAN module is already loaded.

If the lsmod command doesn't show the 802.1Q module, you can load it manually using the modprobe command. Open a terminal and run:

$ sudo modprobe 8021q

This command will load the VLAN module into the kernel. If you don't see any error messages, the module should be successfully loaded.

To ensure that the VLAN module is loaded automatically at boot time, you can add it to the /etc/modules file or create a configuration file in the /etc/modules-load.d/ directory. For example, to add it to /etc/modules, run:

$ echo '8021q' | sudo tee -a /etc/modules

This will add "8021q" to the list of modules that are automatically loaded during system startup.

Step 2 - Check Network Interface Names

Before configuring VLAN tagging, you should find the names of the network interfaces.

You can use the ip link show or ifconfig commands to list the available network interfaces. Typically, these interfaces have names like enp0sX or, ensX or, ethX.

$ ip link show

Sample Output:

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: ens18: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP mode DEFAULT group default qlen 1000
    link/ether 6e:26:0b:8e:33:8c brd ff:ff:ff:ff:ff:ff
    altname enp0s18

As you see in the output above, there is one network interfaces named ens18.

Step 3 - Creating VLAN Sub-interfaces

Use the ip command to create VLAN sub-interfaces for your physical network interface. Replace with the name of your physical interface (e.g., ens18) and with the desired VLAN ID.

$ sudo ip link add link ens18 name vlan10 type vlan id 10
$ sudo ip link add link ens18 name vlan20 type vlan id 20

Step 4 - Configure IP Addresses

Assign IP addresses to the VLAN sub-interfaces.

$ sudo ip addr add 192.168.10.2/24 dev vlan10
$ sudo ip addr add 192.168.20.2/24 dev vlan20

Step 5 - Enable VLAN Interfaces

$ sudo ip link set dev vlan10 up
$ sudo ip link set dev vlan20 up
Configure VLAN Tagging using ip Command
Configure VLAN Tagging using ip Command

Similarly, you can configure as many as VLANs you require for your setup.

Step 6 - Verify VLAN IP Addresses

Use the ip command to verify if the IP addresses for the VLANs are configured correctly.

$ ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: ens18: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    link/ether 6e:26:0b:8e:33:8c brd ff:ff:ff:ff:ff:ff
    altname enp0s18
    inet 192.168.1.40/24 brd 192.168.1.255 scope global noprefixroute ens18
       valid_lft forever preferred_lft forever
    inet6 fe80::bfcf:b9d3:60de:af1b/64 scope link noprefixroute 
       valid_lft forever preferred_lft forever
3: vlan10@ens18: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether 6e:26:0b:8e:33:8c brd ff:ff:ff:ff:ff:ff
    inet 192.168.10.2/24 scope global ens18.10
       valid_lft forever preferred_lft forever
    inet6 fe80::6c26:bff:fe8e:338c/64 scope link 
       valid_lft forever preferred_lft forever
4: vlan20@ens18: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether 6e:26:0b:8e:33:8c brd ff:ff:ff:ff:ff:ff
    inet 192.168.20.2/24 scope global ens18.20
       valid_lft forever preferred_lft forever
    inet6 fe80::6c26:bff:fe8e:338c/64 scope link 
       valid_lft forever preferred_lft forever

As you see in the above output, I have created two VLANs namely vlan10 and vlan20 with IP addresses 192.168.10.2/24 and 192.168.20.2/24 respectively.

You can also use ip addr show command to only view a specific VLAN's IP address. For instance, to show the IP address of vlan10, run:

$ ip addr show vlan10
3: vlan10@ens18: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether 6e:26:0b:8e:33:8c brd ff:ff:ff:ff:ff:ff
    inet 192.168.10.2/24 brd 192.168.10.255 scope global noprefixroute ens18.10
       valid_lft forever preferred_lft forever
    inet6 fe80::6c26:bff:fe8e:338c/64 scope link 
       valid_lft forever preferred_lft forever
Verify VLAN IP Addresses
Verify VLAN IP Addresses

Frequently Asked Questions

Here's a FAQ (Frequently Asked Questions) about VLAN tagging:

Q: What is VLAN tagging?

A: VLAN tagging is a networking technology that allows you to logically divide a physical network into multiple virtual networks, or VLANs. It adds special tags to Ethernet frames to identify which VLAN a particular frame belongs to.

Q: What is the purpose of VLAN tagging?

A: VLAN tagging serves several purposes, including network segmentation, traffic isolation, broadcast control, quality of service (QoS) prioritization, and improved network security.

Q: How does VLAN tagging work?

A: VLAN tagging adds a 4-byte tag to Ethernet frames at the data link layer (Layer 2) to indicate the VLAN ID. Network devices use this tag to determine which VLAN the frame belongs to.

Q: Can I mix IP address classes (e.g., Class A and Class C) in a VLAN?

A: Yes, you can assign IP addresses from different classes within the same VLAN. VLANs are not dependent on IP address classes, and you can use any IP address range with an appropriate subnet mask.

Q: Do devices in different VLANs communicate with each other by default?

A: No, devices in different VLANs do not communicate with each other by default. VLANs are isolated from each other, and communication requires a router or Layer 3 device to route traffic between them.

Q: How do I configure VLAN tagging in Linux?

A: To configure VLAN tagging in Linux, you can use tools like ip command or configuration files like Netplan. You'll create VLAN sub-interfaces on a physical interface, assign VLAN IDs, and configure IP addresses as needed.

Q: Can I configure VLAN tagging on a managed switch?

A: Yes, most managed switches support VLAN tagging. You can configure VLANs, assign ports to VLANs, and set up VLAN trunking on managed switches to facilitate VLAN communication.

Q: What is the difference between VLAN tagging and multiple IP addresses on a single interface?

A: VLAN tagging creates separate virtual networks with distinct VLAN IDs, while multiple IP addresses on a single interface involve assigning multiple IP addresses within the same network or subnet. VLAN tagging offers better traffic isolation and security.

Q: How can I check if the VLAN module is loaded on my Linux system?

A: You can check if the VLAN module is loaded using the lsmod | grep 8021q command. If you see "8021q" in the output, the module is loaded; otherwise, you may need to load it manually.

Q: How do I ensure that the VLAN module is loaded automatically at boot time?

A: To ensure automatic loading of the VLAN module at boot, add it to the appropriate configuration file for your Linux distribution. For example, in Ubuntu, you can add it to /etc/modules-load.d/.

Conclusion

In this comprehensive guide, we discussed three ways to configure VLAN tagging in Linux operating systems.

In Linux networking, VLAN tagging is an useful technique that allows you to create isolated virtual networks within a single physical network. This segregation improves security, simplifies network management, and enhances overall network efficiency.

Whether you're managing a home network or a complex enterprise environment, understanding and implementing VLAN tagging in Linux lets you to customize your network to fit your specific needs, enhancing both functionality and security.

You May Also Like

Leave a Comment

* By using this form you agree with the storage and handling of your data by this website.

This site uses Akismet to reduce spam. Learn how your comment data is processed.

This website uses cookies to improve your experience. By using this site, we will assume that you're OK with it. Accept Read More