Skip to content

Setting up VLAN

Introduction

A Virtual Local Area Network, commonly known as VLAN, is a logically independent computer network. Multiple VLANs can coexist on the same network switch.

Installation

First, you need to check if VLAN support is compiled as a module or integrated into the kernel:

1
2
> grep -i 8021q < /boot/config-2.6.32-21-generic
CONFIG_VLAN_8021Q=m

Here it's as a module, so I'll activate it on the fly:

1
modprobe 8021q

Then add it to the modules file to automatically load at startup:

1
2
3
4
5
6
7
8
# /etc/modules: kernel modules to load at boot time.
#
# This file contains the names of kernel modules that should be loaded
# at boot time, one per line. Lines beginning with "#" are ignored.
# Parameters can be specified after the module name.

8021q
...

Next, I need to install the VLAN package:

1
aptitude install vlan

Configuration

To configure my VLAN, it's quite simple. I need to know on which physical interface (br0 in this case) I'll create my VLAN (110), then I can create my VLAN on-the-fly like this:

1
vconfig add eth0 110

Then I configure the IP addresses:

1
ifconfig eth0.110 192.168.110.1/24

And add it permanently to the network cards configuration:

1
2
3
4
5
6
# VLAN 110 DMZ
iface eth0.110 inet static
    address 192.168.110.1
    netmask 255.255.255.0
    broadcast 192.168.110.255
    vlan_raw_device eth0

OpenVZ

Here's an example that works with OpenVZ, but also works well for other classic use cases.

You may need to create VLANs in your VEs. This works very well with a bridged interface. To do this, on the host machine, you need to have a VLAN configured (for setup, use this documentation). For those who still want an example:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).

# The loopback network interface
auto lo
iface lo inet loopback

# The primary network interface
allow-hotplug eth0
auto eth0
iface eth0 inet manual

# The bridged interface
auto vmbr0
iface vmbr0 inet static
        address 192.168.100.1
        netmask 255.255.255.0
        gateway 192.168.100.254
        broadcast 192.168.100.255
        network 192.168.100.0
        bridge_ports eth0
        bridge_fd 9
        bridge_hello 2
        bridge_maxage 12
        bridge_stp off

# The DMZ Vlan 110
auto vmbr0.110
iface vmbr0.110 inet static
    address 192.168.110.1
    netmask 255.255.255.0
    broadcast 192.168.110.255
    vlan_raw_device vmbr0

This example is made with a bridged interface because I have KVM running on it, but you're not obligated to use a bridge.

Then, when creating your VE, you don't have to do anything special when creating the network interface for your VE. Launch the creation of your VE and don't forget to install the "vlan" package to create VLAN access within your VE. Here's another example of the network configuration for the VE:

1
2
3
4
5
...
CONFIG_CUSTOMIZED="yes"
VZHOSTBR="vmbr0"
IP_ADDRESS=""
NETIF="ifname=eth0,mac=00:18:50:FE:EF:0B,host_ifname=veth101.0,host_mac=00:18:50:07:B8:F4"

For the VE configuration, it's almost identical to the host machine. You'll need to create a VLAN interface on the main interface (again, you don't need to configure the main interface, just the VLAN is enough). For those who are still unsure, here's an example configuration in a VE:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
# This configuration file is auto-generated.
# WARNING: Do not edit this file, your changes will be lost.
# Please create/edit /etc/network/interfaces.head and /etc/network/interfaces.tail instead,
# their contents will be inserted at the beginning and at the end
# of this file, respectively.
#
# NOTE: it is NOT guaranteed that the contents of /etc/network/interfaces.tail
# will be at the very end of this file.

# Auto generated lo interface
auto lo
iface lo inet loopback

# VE interface
auto eth0
iface eth0 inet manual

# VLAN 110 interface
auto eth0.110
iface eth0.110 inet static
    address 192.168.110.2
    netmask 255.255.255.0
    gateway 192.168.110.254
    broadcast 192.168.110.255
    vlan_raw_device eth0

KVM

We will need to use etables (iptables for bridged interfaces). Install this:

1
aptitude install ebtables

Check your etables configuration:

1
2
3
EBTABLES_LOAD_ON_START="yes"
EBTABLES_SAVE_ON_STOP="yes"
EBTABLES_SAVE_ON_RESTART="yes"

And enable VLAN tagging on bridged interfaces:

1
ebtables -t broute -A BROUTING -i eth0 -p 802_1Q -j DROP

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).

# The loopback network interface
auto lo
iface lo inet loopback

# The primary network interface
allow-hotplug eth0
auto eth0
iface eth0 inet manual

auto eth0.110
iface eth0.110 inet manual
        vlan_raw_device eth0

# The bridged interface
auto vmbr0
iface vmbr0 inet static
        address 192.168.100.1
        netmask 255.255.255.0
        network 192.168.100.0
        broadcast 192.168.100.255
        gateway 192.168.100.254
        # dns-* options are implemented by the resolvconf package, if installed
        dns-nameservers 192.168.100.254
        dns-search deimos.fr
        bridge_ports eth0
        bridge_fd 9
        bridge_hello 2
        bridge_maxage 12
        bridge_stp off

auto vmbr0.110
iface vmbr0.110 inet static
        address 192.168.110.1
        netmask 255.255.255.0
        bridge_ports eth0.190
        bridge_stp off
        bridge_maxwait 0
        bridge_fd 0

Resources