HOWTO: Using 802.1Q VLANs directly with Linux

[Geoff]

I recently wanted to see if I could educate Linux about VLAN tagging and dispense with the multiple network card approach we've used in the past. Mainly because it's more elegant and I loath wasting hardware and Gigabit switch ports when I don't need to. Happily it worked, so here's how I did it.

Disclaimer: These instructions work for Ubuntu 6.06 LTS. If your using another distro (specifcally something not based on debian) these instructions wont work. However they should point you in enough of the right direction to get it going.

Prequesites

VLAN support is actually a kernel feature, if you don't have it compiled it, it's not going to work. Check this before you continue. For reference, I'm using the 'linux-server' meta package on Ubuntu, which does support this. If your doing a kernel compile, the option that enables 802.1Q VLAN support is found under the Networking options.

You also need the usermode configuration tool 'vconfig'. This is avalible in the package 'vlan' on debian based distros. So simply apt-get it. If you can't use this package you can get the source and compile it yourself from here.

The vlan package also installed some configuration scripts that hook into the standard network interface ifup/ifdown scripts. If your not using the vlan package, you'll have to cook up your own.

Switch Configuration

Obviously the machine will needed to be plugged into a port on a switch that supports VLANs. This usually means using one of the more expensive managed switches. Unfortunately I can't give instructions for every possible switch that supports VLANs so I'll just give a generic overview and a specific example using a ProCurve 2650 via its console (its inadvisable to configure VLANs via telnet or the web interface, if you get something wrong you're likely to lose access to the switch).

Generally on switches supporting VLANs there are two configuration areas related to them. A global configuration that assigns numeric VLAN IDs to some easily recognizable name. So for example you might have:

VLAN ID 1 = DEFAULT_VLAN (*)
VLAN ID 2 = CURRICULUM
VLAN ID 3 = ADMIN

* VLAN 1 is special. It's the only VLAN that will let you communicate with the switches management interface. Thus it's best not to use it other than for infrastructure management.

Once the VLANs are configured you can assign them to specific ports on the switch. There's three possible states for a port for each VLAN.

Untagged member

Any data traveling over this port with no VLAN information attached will be tagged with this VLAN ID. You generally use this when you have a device that isn't configured for VLANs and you only want it to be a member of one VLAN. A end client PC for example.

Tagged member

Data travelling over this port with VLAN information attached for the VLAN ID listed as a tagged member will be forwarded on. Any data with no VLAN information attached (untagged as above) or VLAN IDs that have not been configured for use with the port will be dropped.

Non-member

The port isn't a member of this VLAN. It will never get any data sent using the VLAN ID.

Configuration of the ProCurve

The ProCurves have a lot of extra features when it comes to VLANs. However I'm only going to show the basics here. Firstly I log into the switch and enter the configuration context.

Code:

ProCurve J4899B Switch 2650
Firmware revision H.08.98

Copyright (C) 1991-2006 Hewlett-Packard Co.  All Rights Reserved.

                           RESTRICTED RIGHTS LEGEND

 Use, duplication, or disclosure by the Government is subject to restrictions
 as set forth in subdivision (b) (3) (ii) of the Rights in Technical Data and
 Computer Software clause at 52.227-7013.

         HEWLETT-PACKARD COMPANY, 3000 Hanover St., Palo Alto, CA 94303

We'd like to keep you up to date about:
  * Software feature updates
  * New product announcements
  * Special events

Please register your products now at:  www.ProCurve.com



Password: *******

Code:

ProCurve Switch 2650# configure

Once this is done. I can configure my VLANs name

Code:

ProCurve Switch 2650(config)# vlan 2 name CURRICULUM
ProCurve Switch 2650(config)# vlan 3 name ADMIN

That was easy! Now on to configuring the ports. For this specific switch we want the untagged member for all ports to be VLAN 2. On most switches we'd have to go through all the ports and set each one. However there's a nice shortcut on procurves to do this quickly for all ports.

Code:

ProCurve Switch 2650(config)# primary-vlan 2

Ports 49 and 50 are special though. They are Gigabit uplinks to other switches. Thus we don't really want to have untagged data floating about and having the switch at the far end 'guess' what it's supposed to do with it. We also need to add VLAN 1 ( the management VLAN) so we can remotely admin the switch.

Code:

ProCurve Switch 2650(config)# vlan 1 tagged 49 50
ProCurve Switch 2650(config)# vlan 2 tagged 49 50
ProCurve Switch 2650(config)# vlan 3 tagged 49 50

So now, we have a functional switch that understands our networks VLANs and does the 'right thing' by default.

Now for the purposes of this HOWTO, our Linux base server is going to be in port 10. We want it to communicate on both VLAN 2 and 3. So we have a couple of options here. We can either just add port 10 as a tagged member to VLAN 3 and leave untagged data going to VLAN 2. Or we can set port 10 to be a tagged member of both VLAN 2 and 3. Personally I find this second option to be more understandable (especially from Linux). However I'll provide examples for both here and later in the Linux section.

Option A: Mixed tagged and untagged port.

By default the swtich will send untagged data out on VLAN 2 so we don't have to do anything about it (see above).

Code:

ProCurve Switch 2650(config)# vlan 3 tagged 10

Option B: Explicit tagged port

You'll notice this is exactly what we did for our uplink ports (Minus the management VLAN).

Code:

ProCurve Switch 2650(config)# vlan 2 tagged 10

Code:

ProCurve Switch 2650(config)# vlan 3 tagged 10

You will lose connectivity to your Linux machine at this point if you went for Option B

Debian based distro configuration

For host configuration, we also need to know the ip addressing schemes being used. For the purposes of this HOWTO. We shall assume that the CURRICULUM VLAN is using hte address range 192.168.200.0/24 and the Linux machine has been assigned the address 192.168.200.10. The default router is 192.168.200.1 for this network. We shall assume the ADMIN VLAN is using the address range 192.168.300.0/24 and the Linux machine has been assigned the address 192.168.300.10. We will not use the router available on this VLAN.

On debian based systems. The init scripts for networking control the VLAN assignment for interfaces. They require that a virtual interface is created for each VLAN the system will be a member of. This is done by naming the interface as 'vlanXX' (where XX is the VLAN ID) in /etc/interfaces/networks. Additionally each VLAN interface must be assigned to a physical interface with the 'vlan_raw_device' keyword. Configurations wil differ at this point depending on if you chose to use Mixed or Explicit port tagging.

Option A: Mixed Tagged Port

In this configuration, the default network interface will be used to generate untagged traffic. So eth0 can be configured as normal Additionally a vlan3 interface must be configured to generate tagged traffic for VLAN ID 3 (ADMIN).

Code:

# The loopback network interface
auto lo
iface lo inet loopback

# The primary network interface
auto eth0 
iface eth0 inet static
        address 192.168.200.10
        netmask 255.255.255.0
        gateway 192.168.200.1

# VLAN interface for ADMIN (VLAN 3)
auto vlan3
iface vlan3 inet static
        address 192.168.300.10
        netmask 255.255.255.0
        vlan_raw_device eth0

Option B: Explicit Tagged Port

In this configuration, the default network interface will left un-configured. The vlan2 interface will be configured to generate traffic for VLAN ID 2 (CURRICULUM). The vlan3 interface configuration is identical to before.

Code:

# The loopback network interface
auto lo
iface lo inet loopback

# VLAN interface for CURRICULUM (VLAN 2)
auto vlan2 
iface vlan2 inet static
        address 192.168.200.10
        netmask 255.255.255.0
        gateway 192.168.200.1
        vlan_raw_device eth0

# VLAN interface for ADMIN (VLAN 3)
auto vlan3
iface vlan3 inet static
        address 192.168.300.10
        netmask 255.255.255.0
        vlan_raw_device eth0

Astute readers will now realise why I prefer this second method. The interface names make it very obvious which interface is associated with which VLAN.

Finishing Up

You can either reboot or run '/etc/init.d/networking restart'. Just be aware that existing network services will also need restarting to pickup the changes if you only restart networking.

Once everything is back up and running, you can verify the new network interfaces are configured correctly. You can do this either with 'ifconfig' or you can examine the contents of the files in '/proc/net/vlan'. The 'config' file lists vlan to physical interface mappings and each 'vlanxx' file lists VLAN specific statistics.

[Guido64]

Hello Geoff,

I setup more or less the same network as you described above.
I use a Procurve 2626 switch and a debian etch cli host configured with your option B, 2 tagged vlans.

That works 100%, both vlans are working, I run a samba server on the machine it is broacasting and everything on both vlans i can send and receive files at great speed, so thats oke.

The problem is however I can't seem to reach the Internet.
I have vlan capable router on one of the gbit ports with trunked link for all the vlans. this is working for all untagged switch ports very well just not for the debian host with the tagged 2 vlans.

The weird thing is: wen i use lynx to go to google that works most of the time.
apt-get update is not working at all i can't reach any apt-get servers.
I can ping google and everyting but its as if i lose packets, the internet connection is just not working right its very slow and most of the time i can't reach no internet service at all.

do you have an idea what could be the problem here?

I googled about this problem many days now and tried several things like adding and changing default gateway in static route on the host and router nothing seem to solve the problem.

I hope you can help?

[MicrodigitUK]

do you have an idea what could be the problem here?

Only enter the default gateway on one of the vlan interfaces. Otherwise the cross network traffic will get confused and go down both default gateways.
This will cause intermittent internet connections.

Also another point to make is that VLAN 1 (Managment) historically should be untagged on all links carrying other tagged vlans. All Cisco trunked ports have VLAN1 untagged and the other vlans tagged. This is the same on the majority of VLAN compatible NICs and the majority of VLAN compatible switches. Although there are some switches that allow VLAN1 to be tagged on trunk ports which confuses maters. HP procurves being one of them.

[Guido64]

I have this vlan network now over a year.
I read, while setting up my vlans, not to use the main first vlan wich i didn't.
Sorry my explaination wasn't complete.

Same with static route to one gateway only, i also did that.
Thats the weird thing i did all that and stil no stable Internet connection.

There seems to be 2 different ways to vlan, layer 2 and layer 3 vlan. It might something to do with that? I'm not using any ip's in the config of my switch. I want the use my router to be the gateway for all vlans. I'm not exacly sure whats the difference between layer 2 and 3. One of both is mac switching and the other is ip switching or something like that.

Other thing that i noticed is:
I have a wireless accesspoint wich also uses 2 vlans tagged just like the debian host.
Here however no problems on both vlans i can surf the internet normaly.
The thing i noticed is that my accesspoint has a ip forward option checked on the management interface (Ikarus-os manager).
Maybe thats the small difference my debian host needs ip forward option switched on?