an introduction to vlans and vlan trunking

An introduction to VLANs and VLAN trunking, how Linux interacts with VLANs and how you might use them in networks.

To begin, we must have a more formal definition of what a LAN is. LAN stands for local area network. Hubs and switches usually are thought of as participating in a single LAN. Normally, if you connect two computers to the same hub or switch, they are on the same LAN. Likewise, if you connect two switches together, they are both on the same LAN.

A LAN includes all systems in the broadcast domain. That is, all of the systems on a single LAN receive a broadcast sent by any member of that LAN. By this definition, a LAN is bordered by routers or other devices that operate at OSI Layer 3.

Now that we've defined a LAN, what is a VLAN? VLAN stands for virtual LAN. A single VLAN-capable switch is able to participate in multiple LANs at once.

This functionality alone has a variety of uses, but VLANs become far more interesting when combined with trunking. A trunk is a single physical connection that can carry multiple VLANs. Each frame that crosses the trunk has a VLAN identifier attached to it, so it can be identified and kept within the correct VLAN.

Trunks can be used between two switches, between a switch and a router or between a switch and a computer that supports trunking. When connecting to a router or computer, each VLAN appears as a separate virtual interface.

When using trunks, it is important to consider that all the VLANs carried over the trunk share the same bandwidth. If the trunk is running over a 100Mbps interface, for example, the combined bandwidth of all the VLANs crossing that trunk is limited to 100Mbps.

Advantages of VLANsVLANs provide a number of benefits to a network designer. The first advantage is the number of devices required to implement a given network topology can be reduced. Without VLANs, if your network design requires ten machines divided into five different LANs, you would need five different switches or hubs, and most of the ports would be wasted. With VLANs, this work could be done with one device.

Most routers and standard computers can support a limited number of physical network interfaces. Although dual and quad-port Ethernet adapters are available, these are expensive. For example, a quad-port Ethernet card may cost $400. VLAN capable switches start at around $500, but they support many more interfaces.

Depending on the scenario, VLANs and trunks can provide an effective way of segmenting a network without the expense and complexity of managing many physical interfaces.

Types of TrunksSeveral trunk encapsulations are available. Trunks can be carried across a variety of interface types, but this article deals only with Ethernet. The two main protocols for carrying VLANs over Ethernet are ISL and 802.1q. ISL was created by Cisco prior to the standardization of 802.1q and is proprietary. 802.1q, on the other hand, is an open standard and is widely supported. Hereafter, references to trunking mean 802.1q-over-Ethernet. As a side note, 802.1q is defined on only 100Mbps or higher Ethernet; it does not support 10Mbps.

How VLANs WorkTrunks using the 802.1q protocol work by adding a 4-byte VLAN identifier to each frame. This is used on both ends to identify to which VLAN each individual frame belongs. When a switch receives a tagged unicast frame, it looks up the outgoing port using both the destination MAC address and the VLAN identifier. When a broadcast frame is received, it is flooded out to all active ports participating in that VLAN.

When a VLAN-aware router or computer receives a tagged frame, it examines the tag to determine to which virtual interface the frame belongs. This virtual interface can have an IP address and behaves basically the same as a normal physical interface.

Some switches have the concept of a native VLAN on a trunk connection. Packets sent out from the trunk port on this VLAN are untagged. Likewise, untagged packets received on this port are associated with this VLAN. Native VLANs on both ends of a trunk must match. A native-VLAN mismatch on the two ends of the trunk causes problems using the native VLAN configured on each end.

Security Considerations for VLANs and TrunksFor all the benefits of VLANs and trunking, some risks must be weighed. As opposed to physical separation between network segments, VLANs rely on the switch to do the right thing. It is possible that a misconfiguration or a bug could cause the VLAN barriers to be broken.

Two risks are associated with VLANs. In the first, a packet leaks from one VLAN to another, possibly revealing sensitive information. In the second, a specially crafted packet is injected into another VLAN. Any attack that could cause the VLAN barriers to break requires a machine directly attached to the physical network. This means that only a local machine can execute an attack against the switch.

When the switch is configured properly, the chances of these problems happening are slim, but the possibility still exists. It is up to you to examine your needs and your security policy to determine if VLANs are right for you.

It is beyond the scope of this article to describe exactly how to configure your switch securely, but most vendors provide documentation outlining best practices. Briefly, you should configure at least the following:

Disable trunking and trunk negotiation on all ports except those absolutely necessary.

Enable MAC flood protection on all ports. Isolate the management VLAN from workstations and servers.

Linux and VLANsLinux has long been able to connect to VLAN trunks with a kernel patch, and the functionality was integrated into the mainstream kernel in 2.4.14. Kernel 2.6 also supports VLAN trunking.

In order to use 802.1q trunking, simply set the CONFIG_VLAN_8021Q option when configuring your kernel. Depending on what Ethernet card you have, you may need to patch the driver to make VLANs work correctly. This process is discussed in greater detail later in the article.

MTU IssuesAs mentioned earlier, 802.1q works by tagging each frame with a 4-byte VLAN identifier. However, some Ethernet drivers assume the maximum frame size is 1,500 bytes. The addition of the 4-byte tag does not leave as much room for data. Thus, although small packets are sent and received correctly, large packets fail. The solution is either to drop the MTU of the VLAN device or to correct the assumptions of the driver.

Patches are available on the Linux VLAN Web site for a variety of cards (see Resources). Several drivers work correctly out of the box (or tar.gz, as the case may be), including the e100 driver for Intel-based cards.

Linux ConfigurationConfiguring VLANs under Linux is a process similar to configuring regular Ethernet interfaces. The main difference is you first must attach each VLAN to a physical device. This is accomplished with the vconfig utility. If the trunk device itself is configured, it is treated as native. For example, these commands define VLANs 2-4 on device eth0:

vconfig add eth0 2

vconfig add eth0 3

vconfig add eth0 4

The vconfig program can set a variety of other options, including device-naming conventions. Hereafter, these are assumed to be at their defaults.

Once the virtual interfaces are defined, they can be used in the same way as other interfaces. The standard utilities, such as ifconfig and route, all accept VLAN interfaces and behave as expected. For example, all VLAN interfaces can be listed with ifconfig -a.

Depending on your distribution, support may be available for automatically configuring VLANs on startup. Debian 3.0 or greater supports this support, but Red Hat and Fedora currently do not. For other distributions, you simply need to write a script that executes vconfig prior to the main network startup scripts.

Switch ConfigurationBecause the configuration interfaces for different brands of switches all are different, the focus of this section is the common Cisco 2924. All switch configurations are from this model but should work with little change on other IOS-based switches. A variety of configuration commands are related to trunking, but only the most basic are covered here. The samples also assume the ports all have a default configuration. Specifically, this means all ports are configured as access ports in VLAN 1.

This article focuses on the Linux side of the configuration, so only a basic explanation of the switch commands are given. Listing 1 is a configuration fragment that could be entered into a Cisco Catalyst 2924 switch. See Resources for URLs to complete documentation of these commands.

Listing 1. Configuring a Cisco Catalyst 2924 Switch

interface FastEthernet 0/1

switchport mode trunk

switchport trunk encapsulation dot1q

switchport trunk native vlan 1


switchport access vlan 2

The commands here are fairly self explanatory if you are familiar with the VLAN terminology presented earlier. Briefly, the first section converts the first port into a trunk running 802.1q encapsulation with native VLAN 1. The second section simply moves port 2 into VLAN 2.

It is important to see how VLANs are configured and operating on the switch. The first task is to see the status of a particular port. This can be done with show interfaces <interface> switchport command.

Listing 2. show interfaces <interface> switchport

#show interfaces FastEthernet 0/1 switchport

Name: Fa0/1

Switchport: Enabled

Administrative mode: trunk

Operational Mode: trunk

Administrative Trunking Encapsulation: dot1q

Operational Trunking Encapsulation: dot1q

Negotiation of Trunking: Disabled

Access Mode VLAN: 0 ((Inactive))

Trunking Native Mode VLAN: 1 (VLAN0001)

Trunking VLANs Enabled: ALL

Trunking VLANs Active: 1-5

Pruning VLANs Enabled: 6-1001

...

Probably the most useful command is the show vlan command. It shows you a table indicating which ports are in which VLANs.

ExampleThe best way to see how VLANs work is by example. Imagine you work for Widgets, Inc. There are about 20 people from several departments working at your location. Ten people work in engineering, two people are in accounting, five people in sales and three people in marketing. Widgets, Inc. currently has a flat network, one in which all the machines are on the same LAN. All of these machines are connected to a Cisco 2924 switch and reside in the 10.0.0.0/24 private network.

Figure 1. Widgets, Inc.'s Private Network

To improve security, you have convinced management to let you segment the network. You already have a Linux firewall running Debian 3.0 facing the Internet, but now you need to extend it to segment the network. The first snag is you have been given only a minimal budget for the project.

After some consideration, you have decided to separate the inside network into four segments: Management, Sales & Marketing, Accounting and Engineering and a DMZ for your assorted servers. The management VLAN has no workstations associated with it and is used only for the switch's configuration interface.

Figure 2. The Segmented Network

Your existing firewall cannot accommodate three more physical interfaces. You recently read an interesting article about how to use VLANs with Linux, which gives you an idea. With VLANs, the new topology can be implemented with the existing interfaces. In fact, the physical layout of your network doesn't change at all. Using VLANs adds a management network to the mix, bringing the total to five.

Figure 3. The Segmented Network with VLANs

You also have decided to subnet your existing IP addresses for the new segments. Using a subnet mask of 255.255.255.224 gives you plenty of IPs for each segment and leaves you several spare subnets to use later. You already are using DHCP to assign IP addresses, so client reconfiguration is not an issue.

Listing 3. Assigning IP Addresses

Description VLAN IP Subnet

Management 1 10.0.0.0/27

DMZ 2 10.0.0.32/27

Accounting 3 10.0.0.64/27

Engineering 4 10.0.0.96/27

Sales & Marketing 5 10.0.0.128/27

Preparation

Because the network changes here can cause a loss of connectivity, it is important to have everything prepared beforehand. Ensure that your firewall meets the prerequisites above. It also is recommended that you have a serial console connection available before you begin. Obviously, these kinds of changes should be done after business hours.

Preparation is the most important part of a network project. In this case, it is important to have everything planned out well in advance. You should have planned out your firewall policy, server configuration, DNS update and so on. Think about all the functions required for the daily operation of your network, and consider how the changes described here might effect them. For example, reducing the DHCP lease time several days in advance allows the workstations to retrieve their new leases more quickly.

Firewall ConfigurationThe first step towards the new network configuration is to establish the trunk between the firewall and the switch. On Debian, the vlan package contains the required utilities. Most other distributions also offer a package containing these utilities. Compile and install your kernel as you normally would, and enable 802.1q support (CONFIG_VLAN_8021Q).

The Debian interfaces file, located in /etc/network/interfaces, provides support for creating VLAN interfaces. Each interface is defined as normal, with the addition of a vlan_native_interface line. If your distribution does not support defining VLAN interfaces, you need to have a script define them before network startup. Listing 4 shows a Debian interfaces file, using DHCP to retrieve the IP for the outside interface.

Listing 4. A Debian Interfaces File

auto lo

iface lo inet loopback

auto eth0 eth1 vlan2 vlan3 vlan4 vlan5

iface eth0 inet dhcp

# VLAN 1 - native management VLAN

iface eth1 inet static

address 10.0.0.1

netmask 255.255.255.224

vlan_raw_device eth1

# VLAN 2 - DMZ

iface vlan2 inet static

address 10.0.0.33

netmask 255.255.255.224


# VLAN 3 - Accounting


address 10.0.0.65

netmask 255.255.255.224


# VLAN 2 - DMZ


address 10.0.0.33

netmask 255.255.255.224


# VLAN 3 - Accounting


address 10.0.0.65

netmask 255.255.255.224


# VLAN 4 - Engineering


address 10.0.0.97

netmask 255.255.255.224


# VLAN 5 - Sales & Marketing


address 10.0.0.129

netmask 255.255.255.224


If you were using a distribution other than Debian, you could put lines similar to the ones in Listing 5 in a startup script that runs before network configuration.

Listing 5. Startup Script for Non-Debian Distributions

vconfig add eth1 2

vconfig add eth1 3

vconfig add eth1 4

vconfig add eth1 5

Once the new interfaces are defined, you can bring them up using ifup <device name>. You also need to ifdown and ifup eth1 to set the correct IP and netmask.

Switch ConfigurationBefore you begin configuration, make sure the IP address of the switch falls within the new management subnet. The IP configuration is associated with a virtual interface. This is normally VLAN1.

Listing 6. IP Address for VLAN1

interface VLAN1

ip address 10.0.0.2 255.255.255.224

The firewall is connected to port 1 on the switch, which is referred to as FastEthernet 0/1 in IOS notation. The first task is to set the encapsulation and native VLAN, then you can enable the trunk.

Listing 7. Enabling the Trunk


switchport trunk encapsulation dot1q

switchport trunk native vlan 1

switchport mode trunk

Once the trunk is active, you need to move ports from the default VLAN into their new one. This is done by entering the interface configuration and issuing switchport access vlan <vlan id>. Although not necessary, it is helpful to physically group VLANs to make them easier to manage.

Listing 8. Moving the Ports

interface FastEthernet0/2










Once your changes are complete, you can see which ports are in which VLAN by using the show vlan command.

Finishing UpThe first order of business is to test whether you can move packets of all sizes successfully without MTU issues. Packets above 1,476 bytes should trigger any MTU issue you have. This can be tested by pinging from the firewall to a machine on a non-native VLAN. If small packets work but large packets do not, you most likely have an MTU issue.

Because you are using DHCP, you now need to update your dhcpd.conf file to reflect the new subnets. Once it is restarted, client machines start to receive their new IP addresses.

Without a policy, a firewall is useless. Unfortunately, defining that policy is beyond the scope of this article. However, a variety of effective tools are freely available for this purpose.

Now that everything is working, we need to make sure the switch's new configuration is written to memory. This is done from enable mode using the write memory command.

ConclusionAs you can see, VLAN trunking can be a valuable tool. I hope you have learned where it can be useful, the risks and benefits of using it and the basics of its configuration. Even though this document focuses on a Cisco 2924 switch, it shouldn't be difficult to translate the configuration here to any switch that supports 802.1q trunks.

I would like to give special thanks to Cheryl Lehman for helping to make my first article readable and to Randall Shutt for reviewing the content.

Resources802.1Q VLAN implementation for Linux

Using the Command-line Interface for Catalyst 2900XL Switches

Cisco Catalyst 2900XL IOS Command References

» add new comment | email this page | printer friendly version | 64507 reads

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.great articleSubmitted by Anonymous (not verified) on Sat, 2006-10-21 12:31. Thanks for this :)

» reply | email this page

figures in this articleSubmitted by Anonymous (not verified) on Thu, 2006-02-02 09:15. I cannot view the figures in this article,it would be useful to view them.Has anyone got them


This article exactly hit theSubmitted by Anonymous (not verified) on Tue, 2005-06-28 19:19. This article exactly hit the nail on the head! I was to able create a "layer 3 switch" with an unused PC running Linux and an old 3Com superstack 3300 switch for our test lab. Suprisingly fast, it's clearly faster than what I suspected (although certainly not as fast a real L3 switch)

Thanks a million! It really got me going!


vlan switch connect to linux gatewaySubmitted by Anonymous (not verified) on Thu, 2005-03-24 07:37. dear

I did configure the switch to use vlan's and I did connect that switch to linux gateway machine.

must I configure vlan under the linux machine also OR just on the switch ?

pleas replay i need help

greeting


Re: VLANs on Linux - basic switch vlan awareSubmitted by Anonymous on Thu, 2004-07-29 01:00. this is an item I just ordered for a client:http://store.elementsource.com/elementsources/bgfoncol16po.html

http://www.linuxjournal.com/article/7268#comment-11048

http://www.linuxjournal.com/emailpage&nid=7268

http://www.linuxjournal.com/comment/reply/7268/26972







http://example.com/directory





http://www.linuxjournal.com/node/7268/print


http://www.linuxjournal.com/comment/reply/7268#comment

http://www.cisco.com/en/US/products/hw/switches/ps607/products_command_reference_chapter09186a008007eb8b.html

http://www.cisco.com/en/US/products/hw/switches/ps607/products_command_reference_chapter09186a008007eb87.html

http://www.candelatech.com/~greear/vlan.html

* 16 x 10/100Mbps Auto-negotiation, Auto-MDI/MDIX TP ports* Supports QoS function based on IEEE 802.1p/802.1q port priority, VLAN tag priority and TCP/IP header�s TOS/DS* Supports VLAN, up to 16 group VLANS* Provides console port and software for easy configuration* Full/Half duplex transfer mode for each port* Store-and-Forward switching method* Extensive front-panel diagnostic LEDs* IEEE 802.3x flow control for full-duplex* Back pressure flow control for half-duplex

I ordered it for general networking purposes but I will (in the future) try some VLAN stuff since I want to separate wireless access to different subnets.


Re: VLANs on LinuxSubmitted by Anonymous on Wed, 2004-06-30 01:00. How to organize domain server by help of Linux Vlan router.For instance I have VLAN: 2,3,4,5 and I want the traffic from them to be routed in vlan 10 (server's VLAN) but 2,3,4,5 must don't touch. Help!


Re: VLANs on Linux and TrunkSubmitted by drp666c (not verified) on Tue, 2004-06-15 01:00. Hi,Since a switch can have trunk ports that sees traffic from all VLANs is it possible to configure the interface in Linux to see traffic from all VLANs .. kinda like a trunk interface?

Thanks


Re: VLANs on Linux and TrunkSubmitted by BK (not verified) on Fri, 2005-01-07 04:17. Yes It is possible. you will need to enable in the 802.1Q option in the kernel, recompile, and install the vlan package to get the vconfig utility which enables you to add vlan interfaces.


VLANs on linuxSubmitted by anwar (not verified) on Mon, 2005-09-19 02:22. Yes,I enabled in the 802.1Q option in the kernel, recompiled, and installed the vlan package to get the vconfig utility which enables to add vlan interfaces.

I have one question ,can I get vlan id through snmp commands ?If yes,what are neccessary to be installed .And what is the command.

Pls mail me the solution

With RgdsAnwar


VLANs on LinuxSubmitted by Anonymous on Wed, 2004-04-28 01:00.
















Having no previous knowledge about vlans or switch configuration and being suddenly tasked with setting up multiple vlans on a switch configured from a single ethernet connection on a debian system, I found this article invaluable. Thanks.


Re: VLANs on LinuxSubmitted by Anonymous on Wed, 2004-04-21 01:00. If we create VLAN interfacevconfig add eth1 2and not give it IP address, is it possible to create script which would manage network traffic for VLAN2.For example, would this command work:iptables -A FORWARD -i vlan2 -j DROP

Thanks


Outstanding issues with VLANs on LinuxSubmitted by Anonymous on Wed, 2004-03-17 02:00. Linux does not support VLANs over anything but physical ethernet cards. No aggregate links or the bridge device, either of which would be a huge win for building fault tolerant routers.

Hardware VLAN tagging / untagging was not supported last time I checked (huge difference on GbE or 10GbE)

iptables hasn't figured out quite how to deal with VLANs (although last I heard there was a module in the works)


Outstanding issues with VLANs on LinuxSubmitted by Anonymous (not verified) on Sat, 2005-05-14 20:12. What about GVRP? Does the linux vlan implementation include support for GVRP?


Re: Outstanding issues with VLANs on LinuxSubmitted by Anonymous on Tue, 2004-08-31 01:00. use cisco


Re: VLANs on Linux - Still CloudySubmitted by Anonymous on Wed, 2004-03-17 02:00. Still a little cloudy if this is necessary all the time when using all Linux workstations on a network. For instance, you have two switches linked together to share various VLANS (i.e. VLAN 1 and VLAN 2 have ports on both switches) and you have 2 physical LANs with different network addresses. Physical LAN 1 is part of VLAN 1 and physical LAN 2 is part of VLAN 2. Both physical lans are connected to a router (Linux box with 2 Ethernet cards) via the switches. With this setup isn't all this transparent to the the Linux workstations? If you want to talk to the other VLAN or physical network it would go to the router. In this scenario you would not need to do all the configuration mentioned in the article? The reason I ask is that we need to mix and match fiber and copper. The above scenario would enable us share the switches between the physical LANs. We would not be required to use two switches for each LAN (one copper one fiber). Also, it would still maintain separate broadcast domains for the physical LANs. Am I way off base?


Re: VLANs on LinuxSubmitted by Anonymous on Sat, 2004-03-13 02:00.



















I had 3c905C card on my RH9 Linux box. I made 2 VLAN and http traffic stopped. Before this everything worked fine. I tried to change cards and so on. I fixed it only when removed the 3c905 card and installed DFE-538TX card. It seemed 3c905 driver has some bugs. I guess it is a bug of assigning or management MTU.


Red Hat/Fedora VLAN supportSubmitted by Anonymous on Sat, 2004-03-13 02:00. The article states that Red Hat/Fedora does not support VLAN setup onboot. This is incorrect.

VLAN support has been in Red Hat Linux since version 9 and is includedin Fedora.

Documentation on configuring is available in the file sysconfig.txt whichis included in the initscripts RPM (ie less `rpm -ql initscripts|grep sysconfig.txt` )


Re: Red Hat/Fedora VLAN supportSubmitted by Anonymous on Sat, 2004-03-13 02:00. Thank you for noticing this. I had looked for RedHat support but hadn't found it until you pointed it out.

For those of you using RedHat or Fedora, I'm including the configuration for the VLAN2 interface in the example. This would be place in the /etc/sysconfig/network-scripts/ifcfg-eth1.2 file.

DEVICE=eth1.2 # eth1 is the interface and .2 is the VLAN idIPADDR=10.0.0.33NETMASK=255.255.255.224VLAN=yesONBOOT=yesBOOTPROTO=none

The RedHat scripts always configure VLAN interfaces using the device and the VLAN ID without padding, which differs from the article. The interface created above would be eth1.2 rather than vlan2.

Paul Frieden


Re: Red Hat/Fedora VLAN supportSubmitted by Anonymous on Mon, 2004-03-15 02:00. actually, on fedora/RHEL3/RH9 , add to /etc/sysconfig/networkVLAN=yes

having the ETH driver patched to support 1504 mtu's the normal eth's had to have their mtu capped to 1500... to do that, add to the /etc/sysconfig/network-scripts/ifcfg-ethX MTU=1500 and to the ifcfg-ethX.X MTU=1504

my to cents


Re: Red Hat/Fedora VLAN supportSubmitted by Anonymous on Thu, 2004-06-10 01:00. does this also work in fedora core 2?













jason


Article lacks important detailsSubmitted by Anonymous on Fri, 2004-03-12 02:00. Namely, details of using iptables with the defined vlan interfaces. Can you treat them as physical interfaces with iptables? Does each vlan have an INPUT chain? Etc..

- cameron


Re: Article lacks important detailsSubmitted by Anonymous on Fri, 2004-03-12 02:00. VLAN interfaces behave exactly as normal physical interfaces do in iptables. You can specify them for rules as incoming (-i) and outgoing (-o) interfaces.

I haven't had any issues with VLAN interfaces behaving differently than normal interfaces do any any of my deployments. I do know that in the past there were some issues with DHCP, but I have never had any problems with it myself.

Paul Frieden


Several things to note.Submitted by Anonymous on Fri, 2004-03-12 02:00. The linux kernel, at least, can handle VLANs on 10bt interfaces,though it is likely you would have MTU issues on really ancient NICs.

Very cheap un-managed switches can also pass VLANs, thoughyou will not necessarily get the benefits of broadcast domainrestriction. For just playing with the technology, however, it is fine.

Some known good drivers include tg3, e100, e1000At one time, the rtl8139 also worked out of the box but I haven'ttested it lately.

There are patches to various drivers found on this page:http://www.candelatech.com/~greear/vlan/howto.html

Enjoy,Ben Greear


Re: VLANs on LinuxSubmitted by Anonymous on Thu, 2004-03-11 02:00. Excellent article!

I appreciate the info on how to configure the switch to properly trunk to the Linux box as well as the clear introduction and examples.

I may pull that old 2900 out of the closet and actually play with this.


Re: VLANs on Linux
















Submitted by Anonymous on Thu, 2004-03-11 02:00. I'm terribly sorry but this was a crappy article. Understanding how to configure interfaces is done in two seconds. The MTU issues are a big problem that you wrestle with for much longer. Until recently (or does it still apply?) you had to patch your ethernet interface drivers manually in the kernel to adjust the maximum MTU size.

Also you have to adjust your ruleset to accompany the larger packets. Then some drivers are buggy and will crash when you increase MTU above the standard 1500 (not to speak of crappy taiwanese d-link switches that lock up from time to time).

All this is skimmed through with one sentence that it "could be issues". You might say that, yes.


Re: VLANs on LinuxSubmitted by Anonymous on Thu, 2004-03-11 02:00. I disagree with your criticism of the article. He did adequately address tne issue of limited/buggy Linux ethernet drivers (though a link to a more indepth resource, perhaps a Wiki page where various kernel hackers list links to their patches, would be nice).

Noting that some cheap ethernet equipment might also choke when connected to a trunk line would be nice, but is also above and beyind the call of this article.

As for how trivial the interfaces are to set up, configure and use --- that's the core of the article. I teach professional sysadmin courses, and compile kernels for breakfast (well, usually I start them before I go to bed, actually).

I've been seeing the VLAN 802.1q patch available for years and was vaguely familiar with VLANs from working alongside Cisco networks on numerous occasions. However, I'd never used the VLAN features, didn't know about the 'vconfig' command, wouldn't have known that the vlan* interfaces needed to be bound to their physical interfaces with it, and generally would have had to hunt around a bit to find that info.

This article introduced the concept well, and gave me enough info that I could fire up an old Cisco 2900 switch I have laying around and play with the functionality with no fuss. (Well, no fussing on the Linux side; I have no idea what state that 2900 is in and how I would fix it up; it's on permanent loan from a friend).

It's one of the best articles I've seen recently. I like the fact that he covers the basics of using Cisco IOS or is it CatOS for the other side of this effort; stressing how the switch must talk to the Linux box in trunk mode, and giving examples of setting up the other ports as well.


Re: VLANs on LinuxSubmitted by Anonymous on Mon, 2004-04-05 01:00. I abolutely agree with the reply to the original post. This was not intended to be an in depth article on vlans but introductory one to help a user new to vlans quickly set up to use them. I found it helpful in answering some questions I had since this just came up at work eg. can I trunk a linux box to a Cisco 3550 or do I need to buy another switch.

All in all a great starter article for anyone interested in getting started using vlans. BTW he does throw in some caveats regarding NIC drivers and MTU.

Thanks for the article!










Re: VLANs on LinuxSubmitted by Anonymous on Thu, 2004-03-11 02:00. I understand the benefits of VLANS, but I'm not quite sure what the purpose of configuring VLANS at the OS level is. Could you explain the purpose or benefit of configuring VLANS on Linux? Why would you need to do it you already configured VLANS in your switch.

Thanks.


Re: VLANs on LinuxSubmitted by Anonymous on Mon, 2004-03-15 02:00. Need some more detail information, etc router, iptable.


Re: VLANs on LinuxSubmitted by Anonymous on Fri, 2004-03-12 02:00. We use it for management. The public addresses of our servers only do serving, there is no management (ssh fx) on these addresses. Instead we use a separate LAN for management access. We could put a separate nic in each server, but it is much easier to just add a VLAN on eth0.

Our management VLAN is tagged throughout the network, so for me to get access to it, my workstation needs to support VLAN's too. My eth0 is configured like any other user's, but then I also have an eth0.2 configured, which happens to be our management VLAN.

The switch is configured to allow VLAN 2 only on the switch port where I sit, not on everybody else's. So normal users simply can't have access to VLAN 2. So there is no way they can even connect to an open port 22.

BTW we use Extreme Summit200 switches, and I like their syntax:create vlan usersconfig users tag 10config users ipaddress 192.168.1.1/24config users add ports 1-24

create vlan managementconfig management tag 2config management ipaddress 192.168.0.1/24config management add ports 18 tagged

Simon


Re: VLANs on LinuxSubmitted by Anonymous on Thu, 2004-03-11 02:00. If you want to have a big NFS server directly on two or more subnet (without routing traffic trough the FW)


Re: VLANs on LinuxSubmitted by Anonymous on Thu, 2004-03-11 02:00. You'd do it when you want your Linux box on the trunk line to be a router from one VLAN to another, and perhaps even to run a Snort or Prelude IDS or other NIDS (network intrusion detection system) on on one or more of the VLANs.














I personally prefer separated switches or hub when I can --- especially for the DMZ and server room segments. However, VLANs become important at a certain scale (as do manageable, SNMP switches).


Re: VLANs on LinuxSubmitted by Anonymous on Thu, 2004-03-11 02:00. To route packets between vlans (applying firewall rules in the process). Using virtual interfaces instead of physcial is (obviously) a lot cheaper, provided that your switch is intelligent enough.


VLAN is an acronym for Virtual Local Area Network. Several VLANs can co-exist on a single physical switch, which are configured via software (Linux commands and configuration files) and not through hardware interface (you still need to configure switch).

Hubs or switch connects all nodes in a LAN and node can communicate without a router. For example, all nodes in LAN A can communicate with each other without the need for a router. If a node from LAN A wants to communicate with LAN B node, you need to use a router. Therefore, each LAN (A, B, C and so on) are separated using a router.

VLAN as a name suggest combine multiple LANs at once. But what are the advantages of VLAN?

Performance Ease of management Security Trunks You donÃ¢â‚¬â„¢t have to configure any hardware device, when physically moving server

computer to another location etc.

VLAN concepts and fundamental discussion is beyond the scope of this article. I am reading following textbooks. I found these textbooks extremely useful and highly recommended:

Cisco CNNA ICND books (part I and II) Andrew S. Tanenbaum, Computer Networks book

Configuration problemsI am lucky enough to get couple of hints from our internal wiki docs .

Not all network drivers support VLAN. You may need to patch your driver. MTU may be another problem. It works by tagging each frame i.e. an Ethernet header extension

that enlarges the header from 14 to 18 bytes. The VLAN tag contains the VLAN ID and priority. See Linux VLAN site for patches and other information.

Do not use VLAN ID 1 as it may be used for admin purpose.

http://www.candelatech.com/~greear/vlan.html%20






Ok now I need to configure VLAN for RHEL. (note due to some other trouble tickets I was not able to configure VLAN today, but tomorrow afternoon after lunch break ill get my hands on dirty with Linux VLAN )

VLAN ConfigurationMy VLAN ID is 5. So I need to copy file /etc/sysconfig/network-scripts/ifcfg-eth0 to /etc/sysconfig/network-scripts/ifcfg-eth0.5

# cp /etc/sysconfig/network-scripts/ifcfg-eth0 /etc/sysconfig/network-scripts/ifcfg-eth0.5

So I have one network card (eth0) and it needs to use tagged network traffic for VLAN ID 5.

Above files will configure Linux system to have:

eth0 - Your regular network interface eth0.5 - Your virtual interface that use untagged frames

Do not modify /etc/sysconfig/network-scripts/ifcfg-eth0 file. Now open file /etc/sysconfig/network-scripts/ifcfg-eth0.5 using vi text editor:

# vi /etc/sysconfig/network-scripts/ifcfg-eth0.5

Find DEVICE=ifcfg-eth0line and replace with:

DEVICE=ifcfg-eth0.5

Append line:

VLAN=yes

Also make sure you assign correct IP address using DHCP or static IP. Save the file. Remove gateway entry from all other network config files. Only add gateway to /etc/sysconfig/network file.

Restart network:

# /etc/init.d/network restart

Please note that if you need to configure for VLAN ID 2 then copy the copy file /etc/sysconfig/network-scripts/ifcfg-eth0 to /etc/sysconfig/network-scripts/ifcfg-eth0.2 and do the above procedure again.

Using vconfig commandAbove method is perfect and works with Red hat enterprise Linux w/o problem. However you will notice that there is a command called vconfig. The vconfig program allows you to create and remove vlan-devices on a vlan enabled kernel.

Vlan-devices are virtual ethernet devices which represents the virtual lans on the physical lan.

Please note that this is yet another method of configuring VLAN. If you are happy with above method no need to follow following method.

Add VLAN ID 5 with follwing command for eth0:

# vconfig add eth0 5

add command creates a vlan-device on eth0 which result into eth0.5 interface. You can use normal ifconfig command to see device information:

# ifconfig eth0.5

Use ifconfig to assigne IP address:

# ifconfig eth0.5 192.168.1.100 netmask 255.255.255.0 broadcast 192.168.1.255 up

Get detailed information about VLAN interface:

# cat /proc/net/vlan/eth0.5

If you wish to delete VLAN interface delete command:

# ifconfig eth0.5 down# vconfig rem eth0.5

*** Subscribe to our free e-mail newsletter OR RSS feed to receive Linux/UNIX latest news, tips, and hacks installments in your newsreader/email client ***

You may also be interested in... Iptables allow CIPE connection request Routing all mail to unknown users to a single mail account Force vmware to configure a network interface Tunneling VNC connections over SSH - Howto Howto: Building Linux virtual private server (VPS) with VServer software

Next post » »« « Previous postPosted in Linux, Networking | Top Of Page | Interesting articles10 Responses to “Howto: Configure Linux Virtual Local Area Network (VLAN)”

1. Ted Says: June 7th, 2006 at 8:02 pm

A VLAN is a logical grouping of two or more servers which are not necessarily on the same physical network segment but which share the same IP network subnet. The advantage to passing traffic across a VLAN versus a LAN is that information on one VLAN can only be seen on that VLAN, and not by every

http://www.cyberciti.biz/tips/howto-configure-linux-virtual-local-area-network-vlan.html#comment-280%23comment-280

http://www.cyberciti.biz/tips/howto-configure-linux-virtual-local-area-network-vlan.html#morearticles%23morearticles

http://www.cyberciti.biz/tips/howto-configure-linux-virtual-local-area-network-vlan.html#%23

http://www.cyberciti.biz/tips/category/networking/

http://www.cyberciti.biz/tips/category/linux/

http://www.cyberciti.biz/tips/stx-linux-perfect-distribution-for-older-hardware.html

http://www.cyberciti.biz/tips/howto-improve-ssh-session-performance-by-reusing-an-existing-connection-to-a-remote-openssh-server.html

http://www.cyberciti.biz/tips/howto-building-linux-virtual-private-server-with-vserver-software.html

http://www.cyberciti.biz/tips/tunneling-vnc-connections-over-ssh-howto.html

http://www.cyberciti.biz/tips/force-vmware-to-configure-a-network-interface.html

http://www.cyberciti.biz/tips/routing-all-mail-to-unknown-users-to-a-single-mail-account.html

http://www.cyberciti.biz/tips/iptables-allow-cipe-connection-request.html

http://www.cyberciti.biz/tips/feed/

http://www.cyberciti.biz/tips/subscribe/#newsletter

server on the entire LAN. This is especially beneficial when you have many different nodes on a network sharing information with each other.

Most web server hosting companies deploys some sort of VLAN to protect customers.

2. anoop Says: June 27th, 2006 at 6:25 pm

plese send me how to configure vlan in linux

3. linuxtitli Says: June 28th, 2006 at 12:02 am

@anooperr .. sorry i just forgot to add Instructions as I am busy on some other work.. I will add them possibly by tomorrow

4. Bill Says: August 14th, 2006 at 2:41 am

A VLAN is a “Virtual Local Area Network” and is present in L2 (Level 2) of the protocal stack. The above postings may be misleading in that the word “server” is used rather than “host”.

A host may be a server, workstation or other device which conforms to 802.1q specification. Therefore, it is possible (with certain limitations) to attach a laptop to a VLAN seen by a server.

802.1q provides for an additional 4-bytes of information added to the L2 frame, 12 bits of which indicate the VLAN is. Thus one may have 4K VLANs.

When you want to configure a VLAN in Linux, assuming your kernel supports it (2.6+ do) you need to make sure 802.1q support is available. This is most easily done with modprobe. So the command:

/sbin/modprobe 8021q

should do the trick.

Then, for any given NIC interface you only have to do the following:

/sbin/vconfig add eth/sbin/ifconfig eth. 192.168.0.x netmask 255.255.255.0

Of course I just picked some arbitrary class C address, you would have to use what is appropriate for you.



http://www.cyberciti.biz/tips/author/linuxtitli/


You may need then to add to the routing table (not knowing what Linux you are running) something like:

/sbin/route add -net 192.168.0.0 netmask 255.255.255.0 eth.

ALL THE ABOVE MUST BE AS ROOT.

5. Samarendra Saha Says: September 13th, 2006 at 12:16 pm

How can config IP addressing in Suse linux? Please send me the path to adding the IP address and make a work group.

6. viswanathsingh Says: September 13th, 2006 at 1:17 pm

could you pleasesend me the instructions for setting up the VLAN

7. nixcraft Says: September 13th, 2006 at 7:05 pm

viswanathsingh,

Instructions/commands are mentioned above. Please read the vconfig and VLAN config section.

8. nixcraft Says: September 13th, 2006 at 7:07 pm

Samarendra,

Run yast or yast2 command to change network configuration under Suse Linux.

yastORyast2

9. viswanath Says: September 14th, 2006 at 3:54 pm

Any one is having idea how to test VTUN

10. viswanath Says: September 14th, 2006 at 3:55 pm

how to test VLAN (i want to know basic scenario)




http://blogs.cyberciti.biz/hm/


http://blogs.cyberciti.biz/hm/



http://sam/

an introduction to vlans and vlan trunking

Documents