An introduction to VLANs and VLAN trunking, how Linux interacts with VLANs and how you might use

them in networks. To begin, we must have a more formal definition of what a LAN is. LAN stands for local area network. Hubs and switches usually are thought of as participating in a single LAN. Normally, if you connect two computers to the same hub or switch, they are on the same LAN. Likewise, if you connect two switches together, they are both on the same LAN. A LAN includes all systems in the broadcast domain. That is, all of the systems on a single LAN receive a broadcast sent by any member of that LAN. By this definition, a LAN is bordered by routers or other devices that operate at OSI Layer 3. Now that we've defined a LAN, what is a VLAN? VLAN stands for virtual LAN. A single VLAN-capable switch is able to participate in multiple LANs at once. This functionality alone has a variety of uses, but VLANs become far more interesting when combined with trunking. A trunk is a single physical connection that can carry multiple VLANs. Each frame that crosses the trunk has a VLAN identifier attached to it, so it can be identified and kept within the correct VLAN. Trunks can be used between two switches, between a switch and a router or between a switch and a computer that supports trunking. When connecting to a router or computer, each VLAN appears as a separate virtual interface. When using trunks, it is important to consider that all the VLANs carried over the trunk share the same bandwidth. If the trunk is running over a 100Mbps interface, for example, the combined bandwidth of all the VLANs crossing that trunk is limited to 100Mbps. Advantages of VLANs VLANs provide a number of benefits to a network designer. The first advantage is the number of devices required to implement a given network topology can be reduced. Without VLANs, if your network design requires ten machines divided into five different LANs, you would need five different switches or hubs, and most of the ports would be wasted. With VLANs, this work could be done with one device. Most routers and standard computers can support a limited number of physical network interfaces. Although dual and quad-port Ethernet adapters are available, these are expensive. For example, a quad-port Ethernet card may cost $400. VLAN capable switches start at around $500, but they support many more interfaces.

Depending on the scenario, VLANs and trunks can provide an effective way of segmenting a network without the expense and complexity of managing many physical interfaces. Types of Trunks Several trunk encapsulations are available. Trunks can be carried across a variety of interface types, but this article deals only with Ethernet. The two main protocols for carrying VLANs over Ethernet are ISL and 802.1q. ISL was created by Cisco prior to the standardization of 802.1q and is proprietary. 802.1q, on the other hand, is an open standard and is widely supported. Hereafter, references to trunking mean 802.1q-over-Ethernet. As a side note, 802.1q is defined on only 100Mbps or higher Ethernet; it does not support 10Mbps. How VLANs Work Trunks using the 802.1q protocol work by adding a 4-byte VLAN identifier to each frame. This is used on both ends to identify to which VLAN each individual frame belongs. When a switch receives a tagged unicast frame, it looks up the outgoing port using both the destination MAC address and the VLAN identifier. When a broadcast frame is received, it is flooded out to all active ports participating in that VLAN. When a VLAN-aware router or computer receives a tagged frame, it examines the tag to determine to which virtual interface the frame belongs. This virtual interface can have an IP address and behaves basically the same as a normal physical interface. Some switches have the concept of a native VLAN on a trunk connection. Packets sent out from the trunk port on this VLAN are untagged. Likewise, untagged packets received on this port are associated with this VLAN. Native VLANs on both ends of a trunk must match. A native-VLAN mismatch on the two ends of the trunk causes problems using the native VLAN configured on each end. Security Considerations for VLANs and Trunks For all the benefits of VLANs and trunking, some risks must be weighed. As opposed to physical separation between network segments, VLANs rely on the switch to do the right thing. It is possible that a misconfiguration or a bug could cause the VLAN barriers to be broken. Two risks are associated with VLANs. In the first, a packet leaks from one VLAN to another, possibly revealing sensitive information. In the second, a specially crafted packet is injected into another VLAN. Any attack that could cause the VLAN barriers to break requires a machine directly attached to the physical network. This means that only a local machine can execute an attack against the switch. When the switch is configured properly, the chances of these problems happening are slim, but the possibility still exists. It is up to you to examine your needs and your security policy to determine if VLANs are right for you.

14. Patches are available on the Linux VLAN Web site for a variety of cards (see Resources). Once the virtual interfaces are defined. The addition of the 4-byte tag does not leave as much room for data. you may need to patch the driver to make VLANs work correctly. all accept VLAN .1q works by tagging each frame with a 4-byte VLAN identifier. This process is discussed in greater detail later in the article. • Isolate the management VLAN from workstations and servers. 802. • Enable MAC flood protection on all ports. The solution is either to drop the MTU of the VLAN device or to correct the assumptions of the driver. This is accomplished with the vconfig utility. Thus. • In order to use 802.1q trunking. MTU Issues As mentioned earlier. although small packets are sent and received correctly. Kernel 2. Depending on what Ethernet card you have. However.4. and the functionality was integrated into the mainstream kernel in 2. they can be used in the same way as other interfaces. including the e100 driver for Intel-based cards. large packets fail. Briefly.It is beyond the scope of this article to describe exactly how to configure your switch securely. If the trunk device itself is configured.gz.6 also supports VLAN trunking. it is treated as native. you should configure at least the following: Disable trunking and trunk negotiation on all ports except those absolutely necessary. The standard utilities. Linux and VLANs Linux has long been able to connect to VLAN trunks with a kernel patch. Hereafter. For example. such as ifconfig and route. but most vendors provide documentation outlining best practices. these are assumed to be at their defaults. including device-naming conventions. Several drivers work correctly out of the box (or tar.500 bytes. as the case may be). Linux Configuration Configuring VLANs under Linux is a process similar to configuring regular Ethernet interfaces. simply set the CONFIG_VLAN_8021Q option when configuring your kernel. these commands define VLANs 2-4 on device eth0: vconfig add eth0 2 vconfig add eth0 3 vconfig add eth0 4 The vconfig program can set a variety of other options. The main difference is you first must attach each VLAN to a physical device. some Ethernet drivers assume the maximum frame size is 1.

It is important to see how VLANs are configured and operating on the switch.1q encapsulation with native VLAN 1. the first section converts the first port into a trunk running 802. this means all ports are configured as access ports in VLAN 1. Listing 1 is a configuration fragment that could be entered into a Cisco Catalyst 2924 switch. All switch configurations are from this model but should work with little change on other IOS-based switches. The first task is to see the status of a particular port. you simply need to write a script that executes vconfig prior to the main network startup scripts. The second section simply moves port 2 into VLAN 2. but Red Hat and Fedora currently do not. Listing 2. Debian 3. Depending on your distribution. support may be available for automatically configuring VLANs on startup. For example. This article focuses on the Linux side of the configuration. so only a basic explanation of the switch commands are given. See Resources for URLs to complete documentation of these commands. Switch Configuration Because the configuration interfaces for different brands of switches all are different.interfaces and behave as expected. Configuring a Cisco Catalyst 2924 Switch interface FastEthernet 0/1 switchport mode trunk switchport trunk encapsulation dot1q switchport trunk native vlan 1 interface FastEthernet 0/2 switchport access vlan 2 The commands here are fairly self explanatory if you are familiar with the VLAN terminology presented earlier. Listing 1. Specifically. the focus of this section is the common Cisco 2924. Briefly. The samples also assume the ports all have a default configuration. show interfaces <interface> switchport #show interfaces FastEthernet 0/1 switchport Name: Fa0/1 Switchport: Enabled Administrative mode: trunk Operational Mode: trunk Administrative Trunking Encapsulation: dot1q . A variety of configuration commands are related to trunking. but only the most basic are covered here. all VLAN interfaces can be listed with ifconfig -a. This can be done with show interfaces <interface> switchport command.0 or greater supports this support. For other distributions.

0/24 private network. There are about 20 people from several departments working at your location. Inc.0 facing the Internet. Widgets. five people in sales and three people in marketing.. Figure 2. Probably the most useful command is the show vlan command. Inc. All of these machines are connected to a Cisco 2924 switch and reside in the 10. You already are using DHCP to assign IP addresses. The Segmented Network with VLANs You also have decided to subnet your existing IP addresses for the new segments. The Segmented Network Your existing firewall cannot accommodate three more physical interfaces. After some consideration. The first snag is you have been given only a minimal budget for the project. bringing the total to five. Using VLANs adds a management network to the mix. Imagine you work for Widgets. so client reconfiguration is not an issue.224 gives you plenty of IPs for each segment and leaves you several spare subnets to use later. Widgets. In fact. Using a subnet mask of 255. Ten people work in engineering. you have convinced management to let you segment the network. but now you need to extend it to segment the network. The management VLAN has no workstations associated with it and is used only for the switch's configuration interface. With VLANs.0. You already have a Linux firewall running Debian 3. currently has a flat network.255. It shows you a table indicating which ports are in which VLANs. the new topology can be implemented with the existing interfaces. Sales & Marketing. Figure 3. you have decided to separate the inside network into four segments: Management. .Operational Trunking Encapsulation: dot1q Negotiation of Trunking: Disabled Access Mode VLAN: 0 ((Inactive)) Trunking Native Mode VLAN: 1 (VLAN0001) Trunking VLANs Enabled: ALL Trunking VLANs Active: 1-5 Pruning VLANs Enabled: 6-1001 .0. Example The best way to see how VLANs work is by example. the physical layout of your network doesn't change at all.'s Private Network To improve security. You recently read an interesting article about how to use VLANs with Linux. Accounting and Engineering and a DMZ for your assorted servers. one in which all the machines are on the same LAN. two people are in accounting. Inc.255.. Figure 1. which gives you an idea.

0.native management VLAN iface eth1 inet static address 10.1q support (CONFIG_VLAN_8021Q). provides support for creating VLAN interfaces.0. Assigning IP Addresses Description Management DMZ Accounting Engineering Sales & Marketing VLAN 1 2 3 4 5 IP Subnet 10.0. In this case. Preparation is the most important part of a network project.224 . It also is recommended that you have a serial console connection available before you begin. Ensure that your firewall meets the prerequisites above. You should have planned out your firewall policy. it is important to have everything planned out well in advance.255.32/27 10.0.128/27 Preparation Because the network changes here can cause a loss of connectivity. and consider how the changes described here might effect them. it is important to have everything prepared beforehand.1 netmask 255. Obviously.0/27 10. you need to have a script define them before network startup.0.0. If your distribution does not support defining VLAN interfaces. For example. Compile and install your kernel as you normally would. using DHCP to retrieve the IP for the outside interface.0. reducing the DHCP lease time several days in advance allows the workstations to retrieve their new leases more quickly. located in /etc/network/interfaces. server configuration. Most other distributions also offer a package containing these utilities. The Debian interfaces file. Listing 4.96/27 10. with the addition of a vlan_native_interface line. DNS update and so on. and enable 802.0.0.255. Listing 4 shows a Debian interfaces file. Each interface is defined as normal. A Debian Interfaces File auto lo iface lo inet loopback auto eth0 eth1 vlan2 vlan3 vlan4 vlan5 iface eth0 inet dhcp # VLAN 1 .0. these kinds of changes should be done after business hours. On Debian. the vlan package contains the required utilities. Think about all the functions required for the daily operation of your network.Listing 3.0.64/27 10. Firewall Configuration The first step towards the new network configuration is to establish the trunk between the firewall and the switch.0.

224 vlan_raw_device eth1 # VLAN 3 .0.0.Sales & Marketing iface vlan5 inet static address 10.65 netmask 255. Startup Script for Non-Debian Distributions vconfig add eth1 2 vconfig add eth1 3 vconfig add eth1 4 vconfig add eth1 5 Once the new interfaces are defined.Accounting iface vlan3 inet static address 10.DMZ iface vlan2 inet static address 10.0.33 netmask 255.Engineering iface vlan4 inet static address 10. .33 netmask 255.97 netmask 255.DMZ iface vlan2 inet static address 10.65 netmask This is normally VLAN1. The IP configuration is associated with a virtual interface. you can bring them up using ifup <device name>.224 vlan_raw_device eth1 If you were using a distribution other than Debian.255.224 vlan_raw_device eth1 # VLAN 5 .Accounting iface vlan3 inet static address 10.0.129 netmask 255.0.224 vlan_raw_device eth1 # VLAN 2 . Switch Configuration Before you begin configuration.224 vlan_raw_device eth1 # VLAN 3 .255.vlan_raw_device eth1 # VLAN 2 .0. you could put lines similar to the ones in Listing 5 in a startup script that runs before network configuration. Listing 5.0. make sure the IP address of the switch falls within the new management subnet.255.255.255. You also need to ifdown and ifup eth1 to set the correct IP and netmask.255.255.224 vlan_raw_device eth1 # VLAN 4 .0.

you now need to update your dhcpd.Listing 6. Enabling the Trunk interface FastEthernet 0/1 switchport trunk encapsulation dot1q switchport trunk native vlan 1 switchport mode trunk Once the trunk is active. then you can enable the trunk. Once it is restarted.255. you most likely have an MTU issue. IP Address for VLAN1 interface VLAN1 ip address 10. . The first task is to set the encapsulation and native VLAN. you can see which ports are in which VLAN by using the show vlan command.0.224 The firewall is connected to port 1 on the switch. client machines start to receive their new IP addresses. This can be tested by pinging from the firewall to a machine on a non-native VLAN. Moving the Ports interface FastEthernet0/2 switchport access vlan 2 interface FastEthernet0/3 switchport access vlan 2 interface FastEthernet0/4 switchport access vlan 3 interface FastEthernet0/5 switchport access vlan 3 interface FastEthernet0/2 switchport access vlan 3 Once your changes are complete. Although not necessary. Listing 7. you need to move ports from the default VLAN into their new one.conf file to reflect the new subnets. Listing 8.476 bytes should trigger any MTU issue you have. Finishing Up The first order of business is to test whether you can move packets of all sizes successfully without MTU issues. Because you are using DHCP. If small packets work but large packets do not.2 255. This is done by entering the interface configuration and issuing switchport access vlan <vlan id>.255. it is helpful to physically group VLANs to make them easier to manage. which is referred to as FastEthernet 0/1 in IOS notation.0. Packets above 1.

a firewall is useless. it's clearly faster than what I suspected (although certainly not as fast a real L3 switch) Thanks a million! It really got me going! » reply | email this page . However.Has anyone got them » reply | email this page This article exactly hit the Submitted by Anonymous (not verified) on Tue. I hope you have learned where it can be useful. a variety of effective tools are freely available for this purpose. Thanks for this :) » reply | email this page figures in this article Submitted by Anonymous (not verified) on Thu.Without a policy. 2006-02-02 would be useful to view them. 2005-06-28 19:19.1q trunks. defining that policy is beyond the scope of this article. the risks and benefits of using it and the basics of its configuration. This is done from enable mode using the write memory command. Conclusion As you can see.1Q VLAN implementation for Linux Using the Command-line Interface for Catalyst 2900XL Switches Cisco Catalyst 2900XL IOS Command References » add new comment | email this page | printer friendly version | 64507 reads Comment viewing options þÿ þÿ þÿ Save settings Select your preferred way to display the comments and click "Save settings" to activate your changes. VLAN trunking can be a valuable tool. Now that everything is working. This article exactly hit the nail on the head! I was to able create a "layer 3 switch" with an unused PC running Linux and an old 3Com superstack 3300 switch for our test lab. it shouldn't be difficult to translate the configuration here to any switch that supports 802. Resources 802. great article Submitted by Anonymous (not verified) on Sat. Even though this document focuses on a Cisco 2924 switch. Suprisingly fast. I would like to give special thanks to Cheryl Lehman for helping to make my first article readable and to Randall Shutt for reviewing the content. Unfortunately. I cannot view the figures in this article. 2006-10-21 12:31. we need to make sure the switch's new configuration is written to memory.

5 and I want the traffic from them to be routed in vlan 10 (server's VLAN) but 2. 2005-03-24 07:37. 2004-06-15 01:00. this is an item I just ordered for a client: http://store. Since a switch can have trunk ports that sees traffic from all VLANs is it possible to configure the interface in Linux to see traffic from all VLANs .basic switch vlan aware Submitted by Anonymous on Thu. you will need to enable in the 802.1p/802. up to 16 group VLANS * Provides console port and software for easy configuration * Full/Half duplex transfer mode for each port * Store-and-Forward switching method * Extensive front-panel diagnostic LEDs * IEEE 802.1Q option in the kernel. Yes It is possible.3. . Hi. 2004-06-30 01:00.3x flow control for full-duplex * Back pressure flow control for half-duplex I ordered it for general networking purposes but I will (in the future) try some VLAN stuff since I want to separate wireless access to different subnets. Help! » reply | email this page Re: VLANs on Linux and Trunk Submitted by drp666c (not verified) on Tue.4.5 must don't touch. » reply | email this page Re: VLANs on Linux Submitted by Anonymous on Wed.3. kinda like a trunk interface? Thanks » reply | email this page Re: VLANs on Linux and Trunk Submitted by BK (not verified) on Fri.html * 16 x 10/100Mbps Auto-negotiation.vlan switch connect to linux gateway Submitted by Anonymous (not verified) on Thu.elementsource. recompile.. For instance I have VLAN: 2. 2004-07-29 01:00. Auto-MDI/MDIX TP ports * Supports QoS function based on IEEE 802. and install the vlan package to get the vconfig utility which enables you to add vlan interfaces. 2005-01-07 04:17. VLAN tag priority and TCP/IP header�s TOS/DS * Supports VLAN. How to organize domain server by help of Linux Vlan router. must I configure vlan under the linux machine also OR just on the switch ? pleas replay i need help greeting » reply | email this page Re: VLANs on Linux .1q port priority.4. dear I did configure the switch to use vlan's and I did connect that switch to linux gateway

is it possible to create script which would manage network traffic for VLAN2. 2004-04-28 01:00. What about GVRP? Does the linux vlan implementation include support for GVRP? » reply | email this page Re: Outstanding issues with VLANs on Linux .» reply | email this page VLANs on linux Submitted by anwar (not verified) on Mon. No aggregate links or the bridge device. Yes. I have one question . Hardware VLAN tagging / untagging was not supported last time I checked (huge difference on GbE or 10GbE) iptables hasn't figured out quite how to deal with VLANs (although last I heard there was a module in the works) » reply | email this page Outstanding issues with VLANs on Linux Submitted by Anonymous (not verified) on Sat. Pls mail me the solution With Rgds Anwar » reply | email this page VLANs on Linux Submitted by Anonymous on Wed.I enabled in the 802. 2004-04-21 01:00. would this command work: iptables -A FORWARD -i vlan2 -j DROP Thanks » reply | email this page Outstanding issues with VLANs on Linux Submitted by Anonymous on Wed. and installed the vlan package to get the vconfig utility which enables to add vlan interfaces. For example.what are neccessary to be installed . Having no previous knowledge about vlans or switch configuration and being suddenly tasked with setting up multiple vlans on a switch configured from a single ethernet connection on a debian system. 2005-09-19 02:22. » reply | email this page Re: VLANs on Linux Submitted by Anonymous on Wed. can I get vlan id through snmp commands ? If yes. 2004-03-17 02:00. I found this article invaluable. Thanks.1Q option in the kernel. recompiled. either of which would be a huge win for building fault tolerant routers. Linux does not support VLANs over anything but physical ethernet cards. And what is the command. 2005-05-14 20:12. If we create VLAN interface vconfig add eth1 2 and not give it IP address.

33 NETMASK=255. I fixed it only when removed the 3c905 card and installed DFE-538TX card. 2004-08-31 01:00. This would be place in the /etc/sysconfig/network-scripts/ifcfg-eth1. The article states that Red Hat/Fedora does not support VLAN setup on boot. For instance.224 VLAN=yes ONBOOT=yes BOOTPROTO=none . it would still maintain separate broadcast domains for the physical LANs. 2004-03-17 02:00. 2004-03-13 02:00. We would not be required to use two switches for each LAN (one copper one fiber). This is incorrect.0.txt which is included in the initscripts RPM (ie less `rpm -ql initscripts|grep sysconfig. I tried to change cards and so on.txt` ) » reply | email this page Re: Red Hat/Fedora VLAN support Submitted by Anonymous on Sat.2 # eth1 is the interface and .255. 2004-03-13 02:00.Still Cloudy Submitted by Anonymous on Wed. I had looked for RedHat support but hadn't found it until you pointed it out. Both physical lans are connected to a router (Linux box with 2 Ethernet cards) via the switches. It seemed 3c905 driver has some bugs. Still a little cloudy if this is necessary all the time when using all Linux workstations on a network. For those of you using RedHat or Fedora. I made 2 VLAN and http traffic stopped. I guess it is a bug of assigning or management MTU. Physical LAN 1 is part of VLAN 1 and physical LAN 2 is part of VLAN 2. Before this everything worked fine.2 file. I'm including the configuration for the VLAN2 interface in the example. Am I way off base? » reply | email this page Re: VLANs on Linux Submitted by Anonymous on Sat. Documentation on configuring is available in the file sysconfig.Submitted by Anonymous on Tue. » reply | email this page Red Hat/Fedora VLAN support Submitted by Anonymous on Sat. Thank you for noticing this. VLAN support has been in Red Hat Linux since version 9 and is included in Fedora. use cisco » reply | email this page Re: VLANs on Linux . The above scenario would enable us share the switches between the physical LANs. In this scenario you would not need to do all the configuration mentioned in the article? The reason I ask is that we need to mix and match fiber and copper. you have two switches linked together to share various VLANS (i.e.2 is the VLAN id IPADDR=10. 2004-03-13 02:00. VLAN 1 and VLAN 2 have ports on both switches) and you have 2 physical LANs with different network addresses. I had 3c905C card on my RH9 Linux box. DEVICE=eth1. Also. With this setup isn't all this transparent to the the Linux workstations? If you want to talk to the other VLAN or physical network it would go to the router.255.0.

2004-03-12 02:00..The RedHat scripts always configure VLAN interfaces using the device and the VLAN ID without padding. add to the /etc/sysconfig/network-scripts/ifcfg-ethX MTU=1500 and to the ifcfg-ethX. add to /etc/sysconfig/network VLAN=yes having the ETH driver patched to support 1504 mtu's the normal eth's had to have their mtu capped to 1500. 2004-03-12 02:00. details of using iptables with the defined vlan interfaces. 2004-03-12 02:00. 2004-06-10 01:00. Can you treat them as physical interfaces with iptables? Does each vlan have an INPUT chain? Etc. can handle VLANs on 10bt interfaces. though it is likely you would have MTU issues on really ancient NICs. does this also work in fedora core 2? jason » reply | email this page Article lacks important details Submitted by Anonymous on Fri. Submitted by Anonymous on Fri. Namely. at least. I haven't had any issues with VLAN interfaces behaving differently than normal interfaces do any any of my deployments.. Paul Frieden » reply | email this page Several things to note. The linux kernel.X MTU=1504 my to cents » reply | email this page Re: Red Hat/Fedora VLAN support Submitted by Anonymous on Thu. . Paul Frieden » reply | email this page Re: Red Hat/Fedora VLAN support Submitted by Anonymous on Mon.cameron » reply | email this page Re: Article lacks important details Submitted by Anonymous on Fri. which differs from the article. I do know that in the past there were some issues with DHCP.. .2 rather than vlan2. on fedora/RHEL3/RH9 . to do that. 2004-03-15 02:00. You can specify them for rules as incoming (-i) and outgoing (-o) interfaces. VLAN interfaces behave exactly as normal physical interfaces do in iptables. but I have never had any problems with it myself. The interface created above would be eth1. actually.

For just playing with the technology. Understanding how to configure interfaces is done in two seconds. I disagree with your criticism of the article. I teach professional sysadmin courses. 2004-03-11 02:00. There are patches to various drivers found on this page: http://www. » reply | email this page Re: VLANs on Linux Submitted by Anonymous on Thu. it is fine. usually I start them before I go to bed.that's the core of the article. 2004-03-11 02:00. . would be nice).Very cheap un-managed switches can also pass VLANs. Also you have to adjust your ruleset to accompany the larger packets. Until recently (or does it still apply?) you had to patch your ethernet interface drivers manually in the kernel to adjust the maximum MTU size. Ben Greear » reply | email this page Re: VLANs on Linux Submitted by Anonymous on Thu. perhaps a Wiki page where various kernel hackers list links to their patches. Noting that some cheap ethernet equipment might also choke when connected to a trunk line would be nice.html Enjoy. but is also above and beyind the call of this article. e1000 At one time. 2004-03-11 02:00. e100. Some known good drivers include The MTU issues are a big problem that you wrestle with for much longer. and compile kernels for breakfast (well. As for how trivial the interfaces are to set up. though you will not necessarily get the benefits of broadcast domain restriction. however. He did adequately address tne issue of limited/buggy Linux ethernet drivers (though a link to a more indepth resource. I'm terribly sorry but this was a crappy article. Then some drivers are buggy and will crash when you increase MTU above the standard 1500 (not to speak of crappy taiwanese d-link switches that lock up from time to time). actually). Excellent article! I appreciate the info on how to configure the switch to properly trunk to the Linux box as well as the clear introduction and examples.candelatech. I may pull that old 2900 out of the closet and actually play with this. All this is skimmed through with one sentence that it "could be issues". You might say that. the rtl8139 also worked out of the box but I haven't tested it lately. configure and use --. yes. » reply | email this page Re: VLANs on Linux Submitted by Anonymous on Thu.

I've been seeing the VLAN 802. 2004-04-05 01:00. but I'm not quite sure what the purpose of configuring VLANS at the OS level is. Instead we use a separate LAN for management access. didn't know about the 'vconfig' command. We could put a separate nic in each server. It's one of the best articles I've seen recently. The public addresses of our servers only do serving. 2004-03-15 02:00. stressing how the switch must talk to the Linux box in trunk mode. and generally would have had to hunt around a bit to find that info. and giving examples of setting up the other ports as well. I found it helpful in answering some questions I had since this just came up at work eg. iptable. » reply | email this page Re: VLANs on Linux Submitted by Anonymous on Mon. I like the fact that he covers the basics of using Cisco IOS or is it CatOS for the other side of this effort. I abolutely agree with the reply to the original post. can I trunk a linux box to a Cisco 3550 or do I need to buy another switch. I have no idea what state that 2900 is in and how I would fix it up. etc router. my workstation needs to support VLAN's too. My eth0 is configured like any other user's.1q patch available for years and was vaguely familiar with VLANs from working alongside Cisco networks on numerous occasions. but then I also have an eth0. This article introduced the concept well. We use it for management. which happens to be our management VLAN. » reply | email this page Re: VLANs on Linux Submitted by Anonymous on Fri. Our management VLAN is tagged throughout the network. wouldn't have known that the vlan* interfaces needed to be bound to their physical interfaces with it. This was not intended to be an in depth article on vlans but introductory one to help a user new to vlans quickly set up to use them. . Thanks for the article! » reply | email this page Re: VLANs on Linux Submitted by Anonymous on Thu. BTW he does throw in some caveats regarding NIC drivers and MTU. I'd never used the VLAN features. it's on permanent loan from a friend). » reply | email this page Re: VLANs on Linux Submitted by Anonymous on Mon. All in all a great starter article for anyone interested in getting started using vlans. so for me to get access to it. However. (Well. I understand the benefits of VLANS.2 configured. and gave me enough info that I could fire up an old Cisco 2900 switch I have laying around and play with the functionality with no fuss. there is no management (ssh fx) on these addresses. 2004-03-11 02:00. Need some more detail information. but it is much easier to just add a VLAN on eth0. Thanks. no fussing on the Linux side. 2004-03-12 02:00. Could you explain the purpose or benefit of configuring VLANS on Linux? Why would you need to do it you already configured VLANS in your switch.

Hubs or switch connects all nodes in a LAN and node can communicate without a router. » reply | email this page VLAN is an acronym for Virtual Local Area Network. BTW we use Extreme Summit200 switches. B.1. Therefore. VLANs become important at a certain scale (as do manageable. You'd do it when you want your Linux box on the trunk line to be a router from one VLAN to another. » reply | email this page Re: VLANs on Linux Submitted by Anonymous on Thu. So normal users simply can't have access to VLAN 2. If you want to have a big NFS server directly on two or more subnet (without routing traffic trough the FW) » reply | email this page Re: VLANs on Linux Submitted by Anonymous on Thu. However. which are configured via software (Linux commands and configuration files) and not through hardware interface (you still need to configure switch).168. To route packets between vlans (applying firewall rules in the process). Using virtual interfaces instead of physcial is (obviously) a lot cheaper. SNMP switches). 2004-03-11 02:00. 2004-03-11 02:00. each LAN (A. all nodes in LAN A can communicate with each other without the need for a router. not on everybody else's. I personally prefer separated switches or hub when I can --.especially for the DMZ and server room segments.1/24 config users add ports 1-24 create vlan management config management tag 2 config management ipaddress 192. you need to use a router. If a node from LAN A wants to communicate with LAN B node. Several VLANs can co-exist on a single physical switch. and I like their syntax: create vlan users config users tag 10 config users ipaddress 192. 2004-03-11 02:00.168.The switch is configured to allow VLAN 2 only on the switch port where I sit. . C and so on) are separated using a router. For example.1/24 config management add ports 18 tagged Simon » reply | email this page Re: VLANs on Linux Submitted by Anonymous on Thu. So there is no way they can even connect to an open port 22. provided that your switch is intelligent enough.0. and perhaps even to run a Snort or Prelude IDS or other NIDS (network intrusion detection system) on on one or more of the VLANs.

VLAN as a name suggest combine multiple LANs at once. The VLAN tag contains the VLAN ID and priority. VLAN concepts and fundamental discussion is beyond the scope of this article. MTU may be another problem.e.5 . See Linux VLAN site for patches and other information. Ok now I need to configure VLAN for RHEL. Tanenbaum.5 # cp /etc/sysconfig/network-scripts/ifcfg-eth0 /etc/sysconfig/network-scripts/ifcfg-eth0. Computer Networks book . Now open file /etc/sysconfig/network-scripts/ifcfg-eth0.5 using vi text editor: # vi /etc/sysconfig/network-scripts/ifcfg-eth0. (note due to some other trouble tickets I was not able to configure VLAN today.Your regular network interface eth0. when physically moving server computer to another location etc.Your virtual interface that use untagged frames Do not modify /etc/sysconfig/network-scripts/ifcfg-eth0 file. So I need to copy file /etc/sysconfig/network-scripts/ifcfg-eth0 to /etc/sysconfig/network-scripts/ifcfg-eth0. You may need to patch your driver.5 . Do not use VLAN ID 1 as it may be used for admin purpose. an Ethernet header extension that enlarges the header from 14 to 18 bytes. But what are the advantages of VLAN? • • • • • Performance Ease of management Security Trunks You don’t have to configure any hardware device. I found these textbooks extremely useful and highly recommended: • • Cisco CNNA ICND books (part I and II) Andrew S. but tomorrow afternoon after lunch break ill get my hands on dirty with Linux VLAN ) VLAN Configuration My VLAN ID is 5. It works by tagging each frame i. I am reading following textbooks. Above files will configure Linux system to have: • • eth0 . Configuration problems • • I am lucky enough to get couple of hints from our internal wiki docs • Not all network drivers support VLAN.5 So I have one network card (eth0) and it needs to use tagged network traffic for VLAN ID 5.

Using vconfig command Above method is perfect and works with Red hat enterprise Linux w/o problem.2 and do the above procedure again.Find DEVICE=ifcfg-eth0line and replace with: DEVICE=ifcfg-eth0.100 netmask 255. If you are happy with above method no need to follow following method. Vlan-devices are virtual ethernet devices which represents the virtual lans on the physical lan. You can use normal ifconfig command to see device information: # ifconfig eth0.1. Only add gateway to /etc/sysconfig/network file. However you will notice that there is a command called vconfig.168.168.5 192. Add VLAN ID 5 with follwing command for eth0: # vconfig add eth0 5 add command creates a vlan-device on eth0 which result into eth0.5 .5 interface. Remove gateway entry from all other network config files. Save the file.1.0 broadcast 192.255. Please note that this is yet another method of configuring VLAN.5 Use ifconfig to assigne IP address: # ifconfig eth0.d/network restart Please note that if you need to configure for VLAN ID 2 then copy the copy file /etc/sysconfig/network-scripts/ifcfg-eth0 to /etc/sysconfig/network-scripts/ifcfgeth0. Restart network: # /etc/init.255.5 Append line: VLAN=yes Also make sure you assign correct IP address using DHCP or static IP. The vconfig program allows you to create and remove vlan-devices on a vlan enabled kernel.255 up Get detailed information about VLAN interface: # cat /proc/net/vlan/eth0.

Bill Says: August 14th.5 *** Subscribe to our free e-mail newsletter OR RSS feed to receive Linux/UNIX latest news. Most web server hosting companies deploys some sort of VLAN to protect customers.Howto Howto: Building Linux virtual private server (VPS) with VServer software Next post » » « « Previous post Posted in Linux. This is especially beneficial when you have many different nodes on a network sharing information with each other. 2. 2006 at 12:02 am @anoop err . I will add them possibly by tomorrow 4...If you wish to delete VLAN interface delete command: # ifconfig eth0. 2006 at 8:02 pm A VLAN is a logical grouping of two or more servers which are not necessarily on the same physical network segment but which share the same IP network subnet. Networking | Top Of Page | Interesting articles 10 Responses to “Howto: Configure Linux Virtual Local Area Network (VLAN)” 1. anoop Says: June 27th. linuxtitli Says: June 28th. and hacks installments in your newsreader/email client *** You may also be interested in. sorry i just forgot to add Instructions as I am busy on some other work. • • • • • Iptables allow CIPE connection request Routing all mail to unknown users to a single mail account Force vmware to configure a network interface Tunneling VNC connections over SSH . 2006 at 6:25 pm plese send me how to configure vlan in linux 3.. The advantage to passing traffic across a VLAN versus a LAN is that information on one VLAN can only be seen on that VLAN.. tips. 2006 at 2:41 am . Ted Says: June 7th. and not by every server on the entire LAN.5 down # vconfig rem eth0.

nixcraft Says: September 13th. Samarendra Saha Says: September 13th.x netmask 255.6+ do) you need to make sure 802.168. 12 bits of which indicate the VLAN is. for any given NIC interface you only have to do the following: /sbin/vconfig add eth /sbin/ifconfig eth.0 eth.255. When you want to configure a VLAN in Linux. 2006 at 1:17 pm could you pleasesend me the instructions for setting up the VLAN 7. The above postings may be misleading in that the word “server” is used rather than “host”.A VLAN is a “Virtual Local Area Network” and is present in L2 (Level 2) of the protocal stack.1q support is available.0. 5. 802. This is most easily done with modprobe.255. Therefore. workstation or other device which conforms to 802. A host may be a server. it is possible (with certain limitations) to attach a laptop to a VLAN seen by a server. 192.0 Of course I just picked some arbitrary class C address.1q provides for an additional 4-bytes of information added to the L2 frame.168. 2006 at 12:16 pm How can config IP addressing in Suse linux? Please send me the path to adding the IP address and make a work group.0. you would have to use what is appropriate for you. 6.255. So the command: /sbin/modprobe 8021q should do the trick. assuming your kernel supports it (2.1q specification. Then. ALL THE ABOVE MUST BE AS ROOT. Thus one may have 4K VLANs.0 netmask 255.255. 2006 at 7:05 pm . You may need then to add to the routing table (not knowing what Linux you are running) something like: /sbin/route add -net 192. viswanathsingh Says: September 13th.

2006 at 3:55 pm how to test VLAN (i want to know basic scenario) .viswanathsingh. Please read the vconfig and VLAN config section. 2006 at 3:54 pm Any one is having idea how to test VTUN 10. Run yast or yast2 command to change network configuration under Suse Linux. viswanath Says: September 14th. yast OR yast2 9. viswanath Says: September 14th. Instructions/commands are mentioned above. 8. nixcraft Says: September 13th. 2006 at 7:07 pm Samarendra.

Sign up to vote on this title
UsefulNot useful