Problem Introduction: Why Do We Need VLANs?
In system management, especially networking, I often face the challenge of making the company’s network secure and efficient without incurring excessive costs for new equipment. I manage the network for a 50-person office and a small datacenter, so I understand these challenges well.
As a network grows larger, from 5-10 machines to 50 or more, many problems begin to emerge. First is security: How can accounting department computers be prevented from directly accessing development servers, or how can IoT devices be prevented from affecting the main system?
Second is performance: When a computer sends a broadcast message (e.g., searching for a printer or requesting an IP from a DHCP server), every other device on the same LAN must process it. This situation wastes resources and significantly slows down the network.
In the past, to solve this, I might have had to buy more switches, pull more cables, and separate departments into distinct physical networks. But this approach was expensive, complex, and inflexible. If a department changed locations, or if I wanted to add a computer to a different network, I’d have to re-cable everything. That’s why I turned to VLANs.
Core Concept: What is VLAN and How Does It Work?
What is a VLAN?
VLAN (Virtual Local Area Network) is simply a way to create multiple virtual LANs on the same physical network infrastructure. Imagine a single physical switch being divided into multiple independent virtual switches using VLANs. Devices belonging to the same VLAN can communicate as if they were on the same physical network, even if they are plugged into different ports on the same switch, or even across multiple physical switches.
Why Do We Need VLANs?
- Enhanced Security: This is the biggest benefit. VLANs help separate departments (e.g., Accounting, Marketing, IT) or devices (servers, computers, security cameras) into private networks. This prevents unauthorized access and reduces the risk of network attacks.
- Improved Network Performance: VLANs reduce the size of broadcast domains. When a computer sends a broadcast message, it only reaches members within the same VLAN, instead of the entire physical network. This cuts down unnecessary traffic, making the network faster.
- Easy and Flexible Management: Employees moving or departments changing? You just need to reconfigure the network using software (on a switch or Linux server), without having to re-cable physically. This is extremely convenient for managing a constantly evolving network infrastructure.
- Cost Savings: Instead of buying multiple switches for each physical network, I only need a few VLAN-capable switches.
VLAN Operation Mechanism: 802.1Q Tagging
For switches or Linux servers to identify which VLAN a packet belongs to, a mechanism called VLAN Tagging, according to the IEEE 802.1Q standard, is used. When an Ethernet packet passes through a network port configured for a VLAN, a “tag” is added to the header of that packet. This tag contains information about the VLAN ID, which is a number from 1 to 4094.
- Access Port: Typically connects to end devices (like user computers). Packets entering or exiting this port will not have a VLAN tag. The switch automatically assigns a VLAN ID to incoming packets and removes the tag when exiting, based on the port configuration.
- Trunk Port: Typically used for connections between switches, or between a switch and a server (like a Linux server). Packets passing through a Trunk port will carry a VLAN tag, allowing multiple VLANs to traverse a single physical link.
In the context of a Linux server, when configuring VLANs, we are essentially helping the server’s network card understand and process 802.1Q tagged packets. This transforms the network card into a kind of “software Trunk port.”
Detailed Practice: Configuring VLAN on Linux
Now for the most important part: how to apply this in practice on a Linux server. These experiences come from my actual deployments in a small datacenter. There, I used Linux servers as gateways, firewalls, or virtualization hosts needing to participate in various virtual networks.
1. Check Kernel Support and Install Tools
Most modern Linux distributions come with the kernel module for VLANs pre-installed. We can check this using the command:
lsmod | grep 8021q
If you see output, it means the module is loaded. Otherwise, you can load it manually:
sudo modprobe 8021q
The necessary tools are usually iproute2 (providing the ip command) and sometimes vlan (providing the vconfig command, but ip is the more modern and recommended approach).
# On Debian/Ubuntu
sudo apt update
sudo apt install iproute2 vlan
# On CentOS/RHEL
sudo yum install iproute vlan
2. Basic Commands for Temporary VLAN Management (runtime)
We will use the ip command to create and manage VLAN interfaces.
View Existing Network Card Information
Assuming my physical network card is eth0 or enpXsX. Use the following command to check:
ip a
For example, I will use enp0s3 as the physical network card for the next steps.
Create a New VLAN Interface
I want to create a VLAN interface with ID 10 on the enp0s3 card. I will name it enp0s3.10 according to common convention:
sudo ip link add link enp0s3 name enp0s3.10 type vlan id 10
link enp0s3: Specifies the physical interface on which this VLAN will operate.name enp0s3.10: Name of the new VLAN interface.type vlan id 10: Declares this as a VLAN interface with ID 10.
Assign an IP Address to the VLAN Interface
sudo ip addr add 192.168.10.100/24 dev enp0s3.10
Here I assign IP 192.168.10.100 with subnet mask /24 to the enp0s3.10 interface.
Activate the VLAN Interface
sudo ip link set dev enp0s3.10 up
Verify Configuration
After configuration, I can check if the VLAN interface has been created and has an IP address:
ip a show enp0s3.10
Or view more details with the -d flag to see VLAN information:
ip -d link show enp0s3.10
Delete a VLAN Interface
If you want to delete a temporary VLAN interface (only effective until reboot), use the command:
sudo ip link delete enp0s3.10
3. Persistent VLAN Configuration (after reboot)
The ip commands above are only effective for the current session. When the server reboots, the configuration will be lost. For persistent configuration, we need to modify the operating system’s network configuration files.
Each Linux distribution may have different configuration methods. I will present the two most common ways.
Method 1: Configure with Netplan (on Ubuntu Server 18.04+ and Debian 10+)
Netplan uses YAML files for network configuration, which is the method I often use on Ubuntu servers.
Create or edit the configuration file in the /etc/netplan/ directory. For example: /etc/netplan/01-netcfg.yaml.
network:
version: 2
renderer: networkd
ethernets:
enp0s3:
dhcp4: no
dhcp6: no
vlans:
enp0s3.10:
id: 10
link: enp0s3
addresses: [192.168.10.100/24]
nameservers:
addresses: [8.8.8.8, 8.8.4.4]
routes:
- to: default
via: 192.168.10.1
enp0s3.20:
id: 20
link: enp0s3
addresses: [192.168.20.100/24]
nameservers:
addresses: [8.8.8.8, 8.8.4.4]
routes:
- to: default
via: 192.168.20.1
Explanation:
ethernets: enp0s3:: Declares the physical card. I disable DHCP on the physical card because it will only serve as a “transmission path” for VLANs.vlans:: Section defining VLAN interfaces.enp0s3.10:: VLAN interface name.id: 10: VLAN ID.link: enp0s3: Specifies the parent physical interface.addresses: [192.168.10.100/24]: IP address and subnet mask.routes:andnameservers:: Configures the gateway and DNS server for this VLAN.
After editing the file, apply the configuration:
sudo netplan try # It is recommended to use this command to test the configuration before applying it permanently
sudo netplan apply
Method 2: Configure with NetworkManager and ifcfg files (on CentOS/RHEL)
On CentOS/RHEL systems, I typically use NetworkManager along with ifcfg- files in the /etc/sysconfig/network-scripts/ directory.
First, ensure NetworkManager is running and the physical network card is configured not to receive an IP directly.
Create a configuration file for the physical network card ifcfg-enp0s3:
sudo vi /etc/sysconfig/network-scripts/ifcfg-enp0s3
TYPE="Ethernet"
BOOTPROTO="none"
NAME="enp0s3"
DEVICE="enp0s3"
ONBOOT="yes"
Create a configuration file for VLAN interface 10 (ifcfg-enp0s3.10):
sudo vi /etc/sysconfig/network-scripts/ifcfg-enp0s3.10
VLAN="yes"
TYPE="Vlan"
DEVICE="enp0s3.10"
PHYSDEV="enp0s3"
VID="10"
BOOTPROTO="static"
IPADDR="192.168.10.100"
NETMASK="255.255.255.0"
GATEWAY="192.168.10.1"
ONBOOT="yes"
Create a configuration file for VLAN interface 20 (ifcfg-enp0s3.20):
sudo vi /etc/sysconfig/network-scripts/ifcfg-enp0s3.20
VLAN="yes"
TYPE="Vlan"
DEVICE="enp0s3.20"
PHYSDEV="enp0s3"
VID="20"
BOOTPROTO="static"
IPADDR="192.168.20.100"
NETMASK="255.255.255.0"
GATEWAY="192.168.20.1"
ONBOOT="yes"
After creation or modification, restart NetworkManager:
sudo systemctl restart NetworkManager
Or restart the older network service if not using NetworkManager:
sudo systemctl restart network
4. Real-world Example: Linux Server Participating in Multiple VLANs
Imagine having a server that needs to act as a virtualization host, and the virtual machines on it need to access two different networks: one for Web Servers (VLAN 10) and one for Database Servers (VLAN 20). The physical server only has one network card, enp0s3.
To achieve this, I will configure it as follows (using Netplan as an example):
- Ensure the switch port to which the Linux server is connected is configured as a Trunk port, allowing VLAN 10 and VLAN 20 to pass through.
- Create the Netplan configuration file as described above, with two VLAN interfaces
enp0s3.10andenp0s3.20.
network:
version: 2
renderer: networkd
ethernets:
enp0s3:
dhcp4: no
dhcp6: no
vlans:
enp0s3.10:
id: 10
link: enp0s3
addresses: [192.168.10.100/24]
nameservers:
addresses: [8.8.8.8]
routes:
- to: default
via: 192.168.10.1
enp0s3.20:
id: 20
link: enp0s3
addresses: [192.168.20.100/24]
nameservers:
addresses: [8.8.8.8]
routes:
- to: default
via: 192.168.20.1
After sudo netplan apply, my server will have two virtual network interfaces, each belonging to a separate VLAN, with its own IP address and gateway:
ip a show enp0s3.10
# Similar output:
# 4: enp0s3.10@enp0s3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
# link/ether 08:00:27:1c:1d:9e brd ff:ff:ff:ff:ff:ff
# inet 192.168.10.100/24 brd 192.168.10.255 scope global enp0s3.10
# valid_lft forever preferred_lft forever
ip a show enp0s3.20
# Similar output:
# 5: enp0s3.20@enp0s3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
# link/ether 08:00:27:1c:1d:9e brd ff:ff:ff:ff:ff:ff
# inet 192.168.20.100/24 brd 192.168.20.255 scope global enp0s3.20
# valid_lft forever preferred_lft forever
With this configuration, the Linux server can now communicate with both VLAN 10 and VLAN 20 independently, using only a single physical network port. This is extremely useful when deploying virtualization or services that require network isolation, ensuring efficiency and security.
Conclusion
VLANs are a powerful and essential technique in modern network design and management. From my experience, whether it’s for a small office network or a datacenter, applying VLANs brings clear benefits in terms of security, performance, and scalability.
On Linux, configuring VLANs is quite straightforward with tools like ip and persistent configuration methods like Netplan or NetworkManager. Mastering VLAN configuration will help you build a much more robust and easily manageable network infrastructure.
Try configuring VLANs on your virtual machine or test environment to familiarize yourself and apply them to real-world projects. Good luck!
