Red Hat Training

A Red Hat training course is available for RHEL 8

Chapter 11. Configuring VLAN tagging

This section describes how to configure Virtual Local Area Network (VLAN). A VLAN is a logical network within a physical network. The VLAN interface tags packets with the VLAN ID as they pass through the interface, and removes tags of returning packets.

You create a VLAN interface on top of another interface, such as an Ethernet, bond, team, or bridge device. This interface is called the parent interface.

11.1. Configuring VLAN tagging using nmcli commands

This section describes how to configure Virtual Local Area Network (VLAN) tagging using the nmcli utility.

Prerequisites

  • The interface you plan to use as a parent to the virtual VLAN interface supports VLAN tags.

  • If you configure the VLAN on top of a bond interface:

    • The ports of the bond are up.
    • The bond is not configured with the fail_over_mac=follow option. A VLAN virtual device cannot change its MAC address to match the parent’s new MAC address. In such a case, the traffic would still be sent with the then incorrect source MAC address.
    • The bond is usually not expected to get IP addresses via DHCP or IPv6 autoconfiguration. Ensure it by setting ipv4.method=disable and ipv6.method=ignore options while creating a bond; otherwise if DHCP/IPv6-autoconf fails after some time, the interface might be brought down.
  • The switch the host is connected to is configured to support VLAN tags. For details, see the documentation of your switch.

Procedure

  1. Display the network interfaces: 

    # nmcli device status
DEVICE   TYPE      STATE         CONNECTION
enp1s0   ethernet  disconnected  enp1s0
bridge0  bridge    connected     bridge0
bond0    bond      connected     bond0
...

  2. Create the VLAN interface. For example, to create a VLAN interface named vlan10 that uses enp1s0 as its parent interface and that tags packets with VLAN ID 10, enter: 

    # nmcli connection add type vlan con-name vlan10 ifname vlan10 vlan.parent enp1s0 vlan.id 10

    Note that the VLAN must be within the range from 0 to 4094.

  3. By default, the VLAN connection inherits the maximum transmission unit (MTU) from the parent interface. Optionally, set a different MTU value: 

    # nmcli connection modify vlan10 802-3-ethernet.mtu 2000

  4. Configure the IP settings of the VLAN device. Skip this step if you want to use this VLAN device as a port of other devices.

    1. Configure the IPv4 settings. For example, to set a static IPv4 address, network mask, default gateway, and DNS server to the vlan10 connection, enter: 

      # nmcli connection modify vlan10 ipv4.addresses '192.0.2.1/24'
# nmcli connection modify vlan10 ipv4.gateway '192.0.2.254'
# nmcli connection modify vlan10 ipv4.dns '192.0.2.253'
# nmcli connection modify vlan10 ipv4.method manual

    2. Configure the IPv6 settings. For example, to set a static IPv6 address, network mask, default gateway, and DNS server to the vlan10 connection, enter: 

      # nmcli connection modify vlan10 ipv6.addresses '2001:db8:1::1/32'
# nmcli connection modify vlan10 ipv6.gateway '2001:db8:1::fffe'
# nmcli connection modify vlan10 ipv6.dns '2001:db8:1::fffd'
# nmcli connection modify vlan10 ipv6.method manual

  5. Activate the connection: 

    # nmcli connection up vlan10

Verification steps

  1. Verify the settings: 

    # ip -d addr show vlan10
4: vlan10@enp1s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether 52:54:00:d5:e0:fb brd ff:ff:ff:ff:ff:ff promiscuity 0
    vlan protocol 802.1Q id 10 <REORDER_HDR> numtxqueues 1 numrxqueues 1 gso_max_size 65536 gso_max_segs 65535
    inet 192.0.2.1/24 brd 192.0.2.255 scope global noprefixroute vlan10
       valid_lft forever preferred_lft forever
    inet6 2001:db8:1::1/32 scope global noprefixroute
       valid_lft forever preferred_lft forever
    inet6 fe80::8dd7:9030:6f8e:89e6/64 scope link noprefixroute
       valid_lft forever preferred_lft forever

Additional resources

11.2. Configuring VLAN tagging using nm-connection-editor

This section describes how to configure Virtual Local Area Network (VLAN) tagging using the nm-connection-editor application.

Prerequisites

  • The interface you plan to use as a parent to the virtual VLAN interface supports VLAN tags.

  • If you configure the VLAN on top of a bond interface:

    • The ports of the bond are up.
    • The bond is not configured with the fail_over_mac=follow option. A VLAN virtual device cannot change its MAC address to match the parent’s new MAC address. In such a case, the traffic would still be sent with the then incorrect source MAC address.
  • The switch the host is connected to is configured to support VLAN tags. For details, see the documentation of your switch.

Procedure

  1. Open a terminal, and enter nm-connection-editor: 

    $ nm-connection-editor
  2. Click the + button to add a new connection.
  3. Select the VLAN connection type, and click Create.

  4. On the VLAN tab:

    1. Select the parent interface.
    2. Select the VLAN id. Note that the VLAN must be within the range from 0 to 4094.
    3. By default, the VLAN connection inherits the maximum transmission unit (MTU) from the parent interface. Optionally, set a different MTU value.

    4. Optionally, set the name of the VLAN interface and further VLAN-specific options.

      vlan settings nm connection editor

  5. Configure the IP settings of the VLAN device. Skip this step if you want to use this VLAN device as a port of other devices.

    1. On the IPv4 Settings tab, configure the IPv4 settings. For example, set a static IPv4 address, network mask, default gateway, and DNS server: vlan IPv4 settings nm connection editor
    2. On the IPv6 Settings tab, configure the IPv6 settings. For example, set a static IPv6 address, network mask, default gateway, and DNS server: vlan IPv6 settings nm connection editor
  6. Click Save to save the VLAN connection.
  7. Close nm-connection-editor.

Verification steps

  1. Verify the settings: 

    # ip -d addr show vlan10
4: vlan10@enp1s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether 52:54:00:d5:e0:fb brd ff:ff:ff:ff:ff:ff promiscuity 0
    vlan protocol 802.1Q id 10 <REORDER_HDR> numtxqueues 1 numrxqueues 1 gso_max_size 65536 gso_max_segs 65535
    inet 192.0.2.1/24 brd 192.0.2.255 scope global noprefixroute vlan10
       valid_lft forever preferred_lft forever
    inet6 2001:db8:1::1/32 scope global noprefixroute
       valid_lft forever preferred_lft forever
    inet6 fe80::8dd7:9030:6f8e:89e6/64 scope link noprefixroute
       valid_lft forever preferred_lft forever

Additional resources

11.3. Configuring VLAN tagging using nmstatectl

This section describes how to use the nmstatectl utility to configure a VLAN with ID 10 that uses an Ethernet connection. As the parent device, the VLAN connection contains the IP, default gateway, and DNS configurations.

Depending on your environment, adjust the YAML file accordingly. For example, to use a team, bridge, or bond device in the VLAN, adapt the base-iface attribute and type attributes of the ports you use in the VLAN.

Prerequisites

  • To use Ethernet devices as ports in the VLAN, the physical or virtual Ethernet devices must be installed on the server.
  • The nmstate package is installed.

Procedure

  1. Create a YAML file, for example ~/create-vlan.yml, with the following contents: 

    ---
interfaces:
- name: vlan10
  type: vlan
  state: up
  ipv4:
    enabled: true
    address:
    - ip: 192.0.2.1
      prefix-length: 24
    dhcp: false
  ipv6:
    enabled: true
    address:
    - ip: 2001:db8:1::1
      prefix-length: 64
    autoconf: false
    dhcp: false
  vlan:
    base-iface: enp1s0
    id: 10
- name: enp1s0
  type: ethernet
  state: up

routes:
  config:
  - destination: 0.0.0.0/0
    next-hop-address: 192.0.2.254
    next-hop-interface: vlan10
  - destination: ::/0
    next-hop-address: 2001:db8:1::fffe
    next-hop-interface: vlan10

dns-resolver:
  config:
    search:
    - example.com
    server:
    - 192.0.2.200
    - 2001:db8:1::ffbb

  2. Apply the settings to the system: 

    # nmstatectl set ~/create-vlan.yml

Verification steps

  1. Display the status of the devices and connections: 

    # nmcli device status
DEVICE      TYPE      STATE      CONNECTION
vlan10      vlan      connected  vlan10

  2. Display all settings of the connection profile: 

    # nmcli connection show vlan10
connection.id:              vlan10
connection.uuid:            1722970f-788e-4f81-bd7d-a86bf21c9df5
connection.stable-id:       --
connection.type:            vlan
connection.interface-name:  vlan10
...

Additional resources

  • For further details about nmstatectl, see the nmstatectl(8) man page.
  • For more configuration examples, see the /usr/share/doc/nmstate/examples/ directory.

11.4. Configuring VLAN tagging using System Roles

You can use the networking RHEL System Role to configure VLAN tagging. This procedure describes how to add an Ethernet connection and a VLAN with ID 10 that uses this Ethernet connection. As the parent device, the VLAN connection contains the IP, default gateway, and DNS configurations.

Depending on your environment, adjust the play accordingly. For example:

  • To use the VLAN as a port in other connections, such as a bond, omit the ip attribute, and set the IP configuration in the parent configuration.
  • To use team, bridge, or bond devices in the VLAN, adapt the interface_name and type attributes of the ports you use in the VLAN.

Prerequisites

  • The ansible and rhel-system-roles packages are installed on the control node.
  • If you use a different remote user than root when you run the playbook, this user has appropriate sudo permissions on the managed node.

Procedure

  1. If the host on which you want to execute the instructions in the playbook is not yet inventoried, add the IP or name of this host to the /etc/ansible/hosts Ansible inventory file: 

    node.example.com

  2. Create the ~/vlan-ethernet.yml playbook with the following content: 

    ---
- name: Configure a VLAN that uses an Ethernet connection
  hosts: node.example.com
  become: true
  tasks:
  - include_role:
      name: linux-system-roles.network

    vars:
      network_connections:
        # Add an Ethernet profile for the underlying device of the VLAN
        - name: enp1s0
          type: ethernet
	  interface_name: enp1s0
	  autoconnect: yes
          state: up
	  ip:
	    dhcp4: no
	    auto6: no

        # Define the VLAN profile
        - name: vlan10
          type: vlan
          ip:
            address:
              - "192.0.2.1/24"
              - "2001:db8:1::1/64"
            gateway4: 192.0.2.254
            gateway6: 2001:db8:1::fffe
            dns:
              - 192.0.2.200
              - 2001:db8:1::ffbb
            dns_search:
              - example.com
          vlan_id: 10
	  parent: enp1s0
          state: up

    The parent attribute in the VLAN profile configures the VLAN to operate on top of the enp1s0 device.

  3. Run the playbook:

    • To connect as root user to the managed host, enter: 

      # ansible-playbook -u root ~/vlan-ethernet.yml

    • To connect as a user to the managed host, enter: 

      # ansible-playbook -u user_name --ask-become-pass ~/vlan-ethernet.yml

      The --ask-become-pass option makes sure that the ansible-playbook command prompts for the sudo password of the user defined in the -u user_name option.

    If you do not specify the -u user_name option, ansible-playbook connects to the managed host as the user that is currently logged in to the control node.

Additional resources

  • /usr/share/ansible/roles/rhel-system-roles.network/README.md file
  • ansible-playbook(1) man page