1. Overview
In this tutorial, we’ll look at various commands for creating and setting up VLANs in both Debian and RedHat systems. We need an established network connection on the local network interface for VLANs to work, and it’s possible to create and configure VLANs in Linux systems.
2. VLAN
We can set up VLANs on multiple interfaces depending on our network requirements. VLANs allow us to separate various network devices into logical groups that can communicate as if they’re on the same network, regardless of their actual physical location on the broadcast LAN.
Once a VLAN is set up, there are two types of packets: tagged and untagged (regular packets). When packets are tagged, the tags are associated with a VLAN identifier.
We should note that not all drivers support VLAN. Also, when using VLANs the header is enlarged from 14 to 18 bytes(VLAN id and priority).
3. VLAN in Debian Systems
Let’s look at how we can set up a VLAN in Debian. We’ll use Ubuntu for this example.
Firstly, let’s install the vlan package using apt:
$ sudo apt-get install vlan
This package contains the 8021q kernel module we need to connect to a VLAN.
Let’s load the 8021q module into the kernel:
$ sudo modprobe 8021q
$ lsmod | grep 8021q
8021q 33080 0
garp 14384 1 8021q
mrp 18542 1 8021q
We’ll get an error if it’s not loaded:
modprobe: ERROR: could not insert '8021q': Module already in kernel
Now let’s go through the process of configuring the VLAN. We’ll use a vlan id of 100 on interface enp0s3. enp0s3 is our physical interface, and we’ll use the ip command.
Firstly, let’s create the VLAN interface and assign it an IP address:
$ sudo ip link add link enp0s3 name enp0s3.100 type vlan id 100
$ sudo ip addr add 192.168.0.200/24 dev enp0s3.100
Next, let’s activate the interface:
$ sudo ip link set up enp0s3.100
Let’s confirm if the interface exists:
$ ip addr show
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: enp0s3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether 08:00:27:7c:34:12 brd ff:ff:ff:ff:ff:ff
inet 192.168.0.109/24 brd 192.168.0.255 scope global dynamic noprefixroute enp0s3
valid_lft 6727sec preferred_lft 6727sec
inet6 fe80::565e:30df:2aac:465/64 scope link noprefixroute
valid_lft forever preferred_lft forever
3: enp0s3.100@enp0s3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether 08:00:27:7c:34:12 brd ff:ff:ff:ff:ff:ff
inet 192.168.0.230/24 scope global enp0s3.100
valid_lft forever preferred_lft forever
inet6 fe80::a00:27ff:fe7c:3412/64 scope link
valid_lft forever preferred_lft forever
From the output, we can see the VLAN interface is available. To make the VLAN interface permanent, we need to edit and add configurations to the /etc/network/interfaces file. But before that, we add the 8021q module to the kernel on boot:
$ sudo su -c 'echo "8021q" >> /etc/modules'
Now, let’s add the configurations:
$ sudo vi /etc/network/interfaces
auto enp0s3.100
iface enp0s3.100 inet static
address 192.168.0.200
netmask 255.255.255.0
vlan-raw-device enp0s3
The settings aren’t lost on reboot or shutdown and the VLAN interface exists. To turn this interface down, we run:
$ sudo ip link set enp0s3.100 down
If we need to delete this VLAN connection, we use the delete option:
$ sudo ip link delete enp0s3.100
4. VLAN in Red-Hat Systems
We can still use the ip command in RedHat systems to create VLANs. The difference comes when we need to make the connection permanent as we edit different files in RedHat systems.
Let’s create a VLAN 50 for this example:
$ ip link add link eth0 name eth0.50 type vlan id 50
$ ip addr add 192.168.100.1/24 brd 192.168.100.255 dev eth0.50
$ ip link set dev eth0.50 up
$ ip -d addr show
Now that we’ve set up our VLAN interface, we need to edit the .network and .netdev files. Let’s start with the .network file:
$ sudo vi /etc/systemd/network/eth0.network
[Match]
Name=eth0
[Network]
DHCP=ipv4
VLAN=eth0.50
Next, we associate the eth0.network file to the .netdev to handle addressing and routing. Let’s edit the .netdev file:
$ sudo vi /etc/systemd/network/eth0.50.netwok
[Match]
Name=eth0.50
[Network]
DHCP=no
[Address]
Address=192.168.0.25/24
If the DHCP option is set to yes, the VLAN interface obtains an address automatically. Otherwise, we assign the interface an IP address statically.
Next, let’s enable systemd-networkd.service:
$ sudo systemctl enable systemd-networkd.service
$ sudo systemctl restart systemd-networkd.service
5. Other Ways to Create VLANs in Linux
Apart from the ip command, we can use either the nmcli command or the vconfig command. It’s important to note that, in some systems, the vconfig command has been deprecated and won’t work.
5.1. Creating VLANs Through ncmli
To start, let’s check the interfaces available:
$ nmcli device
DEVICE TYPE STATE CONNECTION
enp0s3 ethernet connected Wired connection 1
lo loopback unmanaged --
Secondly, let’s create a VLAN interface on our enp0s3 interface:
$ sudo nmcli con add type VLAN con-name enp0s3.60 dev enp0s3 id 60
Connection 'enp0s3.60' (78c7a918-c69b-4f9d-9801-2dd6cb16f807) successfully added.
We must supply the options con-name, dev, and ifname. The con-name specifies the new VLAN connection created, the dev specifies the physical interface this VLAN is on, and the ifname (VLAN interface name e.g. enp0s3.60) specifies the interface to bind the connection to.
Let’s check if the interface is created:
$ nmcli device
DEVICE TYPE STATE CONNECTION
enp0s3 ethernet connected Wired connection 1
enp0s3.60 vlan connected enp0s3.60
lo loopback unmanaged --
Let’s assign our interface an IP address and confirm if it’s set:
$ sudo nmcli conn modify enp0s3.60 ipv4.addresses '192.168.0.180/24'
$ ip -d addr show
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 promiscuity 0 minmtu 0 maxmtu 0 numtxqueues 1 numrxqueues 1 gso_max_size 65536 gso_max_segs 65535
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: enp0s3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether 08:00:27:7c:34:12 brd ff:ff:ff:ff:ff:ff promiscuity 0 minmtu 46 maxmtu 16110 numtxqueues 1 numrxqueues 1 gso_max_size 65536 gso_max_segs 65535 parentbus pci parentdev 0000:00:03.0
inet 192.168.0.106/24 brd 192.168.0.255 scope global dynamic noprefixroute enp0s3
valid_lft 6337sec preferred_lft 6337sec
inet6 fe80::565e:30df:2aac:465/64 scope link noprefixroute
valid_lft forever preferred_lft forever
3: enp0s3.60@enp0s3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether 08:00:27:7c:34:12 brd ff:ff:ff:ff:ff:ff promiscuity 0 minmtu 0 maxmtu 65535
vlan protocol 802.1Q id 60 <REORDER_HDR> numtxqueues 1 numrxqueues 1 gso_max_size 65536 gso_max_segs 65535
inet 192.168.0.180/24 brd 192.168.0.255 scope global noprefixroute enp0s3.60
valid_lft forever preferred_lft forever
inet6 fe80::d2c6:f6e1:d3ff:61d9/64 scope link noprefixroute
valid_lft forever preferred_lft forever
To turn the VLAN interface up/down, we run the command with the up or down options:
$ sudo nmcli connection up enp0s3.60
Connection successfully activated (D-Bus active path: /org/freedesktop/NetworkManager/ActiveConnection/4)
$ sudo nmcli conn
NAME UUID TYPE DEVICE
Wired connection 1 113796ed-ac12-3280-b45d-a2a507466c0d ethernet enp0s3
enp0s3.60 eee041d9-66c4-429a-8750-571c6fb4f4c5 vlan enp0s3.60
$ sudo nmcli connection down enp0s3.60
Connection 'enp0s3.60' successfully deactivated (D-Bus active path: /org/freedesktop/NetworkManager/ActiveConnection/4)
$ sudo nmcli conn
NAME UUID TYPE DEVICE
Wired connection 1 113796ed-ac12-3280-b45d-a2a507466c0d ethernet enp0s3
enp0s3.60 eee041d9-66c4-429a-8750-571c6fb4f4c5 vlan --
If we run ip addr show, the VLAN interface will be missing from the output. On running sudo nmcli conn, the parent interface device (enp0s3) isn’t listed under the DEVICE column because the VLAN interface is down.
When the VLAN interface is created, its content is stored in the /proc/net/vlan directory. Let’s look at the contents of both the config and the VLAN-interface file (enp0s3.60):
$ sudo cat /proc/net/vlan/config
VLAN Dev name | VLAN ID
Name-Type: VLAN_NAME_TYPE_RAW_PLUS_VID_NO_PAD
enp0s3.60 | 60 | enp0s3
$ sudo cat /proc/net/vlan/enp0s3.60
enp0s3.60 VID: 60 REORDER_HDR: 1 dev->priv_flags: 1021
total frames received 0
total bytes received 0
Broadcast/Multicast Rcvd 0
total frames transmitted 44
total bytes transmitted 4794
Device: enp0s3
INGRESS priority mappings: 0:0 1:0 2:0 3:0 4:0 5:0 6:0 7:0
EGRESS priority mappings:
The config file contains the VLAN name, its VLAN ID, and the parent device name. The VLAN interface file(enp0s3.60) includes the statistics of the VLAN interface.
To delete a VLAN interface using the nmcli command, we run these commands subsequently. We first turn the VLAN interface down:
$ sudo nmcli connection down enp0s3.60
Then we delete the interface:
$ sudo nmcli connection delete enp0s3.60
5.2. vconfig Command
Apart from the nmcli command, we can use the vconfig command. Let’s install it:
$ sudo apt-get install vlan
$ sudo modprobe 8021q
Next, we create the specific VLAN we need:
$ sudo vconfig add enp0s3.40 40
Then, let’s configure the VLANs in the /etc/network/interface file to allow them to obtain an IP address automatically:
$ sudo vi /etc/network/interfaces
auto enp0s3.40
iface enp0s3.40 inet dhcp
vlan-raw-device enp0s3
Afterward, let’s bring the VLAN interface up:
$ sudo ifup enp0s3.40
Finally, let’s restart the network service:
$ sudo service networking restart
6. Conclusion
In this article, we learned how we can set up VLAN interfaces in Debian and RedHat-based systems.
We saw how we could temporarily set it up in both systems and also discussed other ways to set up VLAN. It’s essential we ensure the physical interface we’re using supports VLAN configuration and that the connected switch/router is set properly.