Introduction
In this lab, you will learn how to configure Virtual LAN (VLAN) interfaces on a Linux system using the ip command from the iproute2 suite. You will gain hands-on experience with creating logically separate networks on a single physical interface, a fundamental skill for network administration and segmentation. This process allows you to isolate network traffic and improve security and performance without additional physical hardware.
You will begin by preparing the system, which involves installing the necessary vlan user-space utilities and loading the 802.1q kernel module to enable VLAN tagging. Following the initial setup, you will identify the primary network interface, create two new virtual interfaces for VLAN 10 and VLAN 20, and assign a static IP address to each. Finally, you will use the ip a command to verify that the VLAN interfaces have been created successfully and are active on the system.
Install VLAN Utilities and Load the 802.1q Kernel Module
In this step, you will prepare your Linux environment for VLAN configuration. This involves two key actions: installing the necessary user-space tools and loading the required kernel module.
A Virtual LAN (VLAN) allows you to create logically separate networks on the same physical network infrastructure. To manage VLANs on Linux, you need the vlan package, which provides command-line tools. Additionally, the kernel needs to understand VLAN-tagged traffic, which is enabled by the 8021q kernel module, named after the IEEE 802.1Q networking standard for VLANs.
First, let's ensure your package list is up-to-date and then install the vlan package. All commands will be executed in the terminal.
Update the package index on your system:
sudo apt updateInstall the
vlanpackage. The-yflag automatically confirms the installation.sudo apt install -y vlanYou should see output indicating that the package is being installed.
Reading package lists... Done Building dependency tree... Done Reading state information... Done The following NEW packages will be installed: vlan 0 upgraded, 1 newly installed, 0 to remove and XX not upgraded. Need to get XX.X kB of archives. After this operation, XXX kB of additional disk space will be used. Get:1 http://archive.ubuntu.com/ubuntu jammy/main amd64 vlan X.X-X [XX.X kB] Fetched XX.X kB in Xs (XX.X kB/s) Selecting previously unselected package vlan. (Reading database ... XXXXXX files and directories currently installed.) Preparing to unpack .../vlan_X.X-X_amd64.deb ... Unpacking vlan (X.X-X) ... Setting up vlan (X.X-X) ...
Now that the tools are installed, you need to load the 8021q kernel module. This module enables the Linux kernel to process network packets with VLAN tags.
Load the
8021qmodule using themodprobecommand:sudo modprobe 8021qThis command typically produces no output if successful.
To confirm that the module has been loaded correctly, you can list all loaded modules with
lsmodand filter the output for8021qusinggrep.lsmod | grep 8021qThe output should show the
8021qmodule, confirming it is active in the kernel.8021q 36864 0 garp 20480 1 8021q mrp 20480 1 8021q
Your system is now ready for VLAN configuration. In the next step, you will identify your network interface and start creating VLANs.
Identify the Primary Network Interface
In this step, you will identify the name of the primary network interface on your system. VLAN interfaces are virtual interfaces that are logically attached to a physical network interface. Therefore, you must first know the name of this physical "parent" interface before you can create any VLANs on it.
We will use the ip command, which is the modern standard for network configuration on Linux. Specifically, the ip a (or ip addr) command displays information about all network interfaces.
Open a terminal. Your current working directory is
~/project.To list all network interfaces and their configurations, type the following command and press Enter:
ip a
You will see a list of all network interfaces on your system. Look for an interface that is active and has an IP address assigned to it. You can ignore the lo interface, which is the local loopback device. The primary interface name typically starts with en (for Ethernet) or eth.
Here is an example of what the output might look like. In this example, eth0 is the primary physical interface.
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether 00:16:3e:00:04:06 brd ff:ff:ff:ff:ff:ff
altname enp0s5
altname ens5
inet 172.16.50.186/24 metric 100 brd 172.16.50.255 scope global dynamic eth0
valid_lft 1892159924sec preferred_lft 1892159924sec
inet6 fe80::216:3eff:fe00:406/64 scope link
valid_lft forever preferred_lft forever
3: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default
link/ether 02:42:f2:70:14:b5 brd ff:ff:ff:ff:ff:ff
inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0
valid_lft forever preferred_lft forever
From the output above, observe the following:
eth0: This is the name of the interface. Take note of this name, as you will need it in the following steps. Your interface name might be different (e.g.,ens33).state UP: This indicates the interface is active.inet 172.16.50.186/24: This is the IPv4 address assigned to the interface.
Now that you have identified your primary network interface, you are ready to create VLAN interfaces on it.
Create Virtual Interfaces for VLAN 10 and VLAN 20
In this step, you will use the ip command to create two new virtual network interfaces. Each interface will be associated with a specific VLAN ID, effectively connecting your host to two different logical networks, VLAN 10 and VLAN 20. These new interfaces will be linked to the primary physical interface you identified in the previous step.
The command to create a VLAN interface is ip link add. Let's break down its structure:
sudo ip link add: The base command to add a new network link (interface).link <physical_interface>: Specifies the parent physical interface. You will replace<physical_interface>with the name you found in Step 2 (e.g.,eth0).name <vlan_interface_name>: Defines the name for the new virtual interface. A common convention is<physical_interface>.<vlan_id>, such aseth0.10.type vlan: Specifies that the new interface is a VLAN type.id <vlan_id>: Assigns the numerical VLAN ID (or tag).
Now, let's create the interfaces. Remember to replace eth0 with your actual physical interface name if it is different.
First, create the virtual interface for VLAN 10. This interface will be named
eth0.10.sudo ip link add link eth0 name eth0.10 type vlan id 10Next, create the virtual interface for VLAN 20, naming it
eth0.20.sudo ip link add link eth0 name eth0.20 type vlan id 20
If these commands are successful, they will not produce any output. You have now created the logical interfaces, but they are not yet active or configured with IP addresses. You will handle that in the next step.
Assign IP Addresses and Activate the VLAN Interfaces
In this step, you will bring the newly created VLAN interfaces online and assign them IP addresses. After creation, network interfaces are in a DOWN state by default, meaning they are disabled and cannot send or receive traffic. You need to activate them and provide network-layer addresses to make them functional.
We will use the ip link set up command to activate the interfaces and ip addr add to assign IP addresses.
First, you need to activate, or "bring up," the VLAN interfaces. This enables them to participate in network communication. Execute the following commands in your terminal. Remember to use your interface name if it is not
eth0.Activate the
eth0.10interface:sudo ip link set dev eth0.10 upActivate the
eth0.20interface:sudo ip link set dev eth0.20 upThese commands will not produce any output if they succeed.
Now that the interfaces are active, you can assign an IP address to each one. We will assign an address from the
192.168.10.0/24network to VLAN 10 and an address from the192.168.20.0/24network to VLAN 20. The/24is CIDR notation for a subnet mask of255.255.255.0.Assign
192.168.10.10/24to theeth0.10interface:sudo ip addr add 192.168.10.10/24 dev eth0.10Assign
192.168.20.10/24to theeth0.20interface:sudo ip addr add 192.168.20.10/24 dev eth0.20
Your VLAN interfaces are now fully configured and active for the current session. In the final step, you will verify the complete configuration.
Verify the VLAN Interface Configuration with ip a
In this final step, you will verify that your VLAN interfaces have been successfully created, activated, and configured with the correct IP addresses. Running the ip a command again will show you the complete network configuration of your host, including the new virtual interfaces.
In your terminal, execute the
ip acommand to display all network interface information.ip aExamine the output carefully. You should now see your new VLAN interfaces,
eth0.10andeth0.20, listed alongside your physical and loopback interfaces.The output will look similar to this:
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000 link/ether 00:16:3e:00:04:06 brd ff:ff:ff:ff:ff:ff inet 172.16.50.186/24 metric 100 brd 172.16.50.255 scope global dynamic eth0 valid_lft 1892159924sec preferred_lft 1892159924sec 3: eth0.10@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000 link/ether 00:16:3e:00:04:06 brd ff:ff:ff:ff:ff:ff inet 192.168.10.10/24 brd 192.168.10.255 scope global eth0.10 valid_lft forever preferred_lft forever 4: eth0.20@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000 link/ether 00:16:3e:00:04:06 brd ff:ff:ff:ff:ff:ff inet 192.168.20.10/24 brd 192.168.20.255 scope global eth0.20 valid_lft forever preferred_lft forever
Observe the following key details for your new interfaces:
eth0.10@eth0andeth0.20@eth0: The names of the VLAN interfaces. The@eth0part explicitly shows they are linked to theeth0physical device.state UP: Confirms that both interfaces are active and ready to transmit data.inet 192.168.10.10/24andinet 192.168.20.10/24: The IP addresses you assigned in the previous step are correctly configured.
Congratulations! You have successfully configured a single Linux host to participate in two different VLANs. This demonstrates how a server can communicate across multiple logical network segments using a single physical connection.
Note on Persistence: The ip commands you used create a temporary configuration that will be lost upon reboot. In a production environment, you would make these changes permanent by editing network configuration files, such as those used by Netplan (/etc/netplan/*.yaml) or the older ifupdown system (/etc/network/interfaces).
Summary
In this lab, you learned the complete process of creating and configuring VLAN interfaces on a Linux system using the ip command. You began by preparing the environment, which involved installing the vlan package for user-space utilities and loading the 8021q kernel module to enable VLAN tag processing. This foundational step ensures the system can understand and manage VLAN traffic.
Following the initial setup, you identified the primary physical network interface that would act as the parent for the VLANs. You then used the ip link command to create two separate virtual interfaces, one for VLAN 10 and another for VLAN 20, linking them to the parent interface. To make these interfaces functional, you assigned a unique IP address to each and activated them. The process concluded with using the ip a command to verify that the new VLAN interfaces were successfully created, configured with the correct IP addresses, and active on the network.
