Menu Close
Chapter 8. Configuring VLAN tagging
This section describes how to configure Virtual Local Area Network (VLAN). A VLAN is a logical network within a physical network. The VLAN interface tags packets with the VLAN ID as they pass through the interface, and removes tags of returning packets.
You create a VLAN interface on top of another interface, such as an Ethernet, bond, team, or bridge device. This interface is called the parent interface
.
8.1. Configuring VLAN tagging using nmcli commands
This section describes how to configure Virtual Local Area Network (VLAN) tagging using the nmcli
utility.
Prerequisites
- The interface you plan to use as a parent to the virtual VLAN interface supports VLAN tags.
If you configure the VLAN on top of a bond interface:
- The ports of the bond are up.
-
The bond is not configured with the
fail_over_mac=follow
option. A VLAN virtual device cannot change its MAC address to match the parent’s new MAC address. In such a case, the traffic would still be sent with the then incorrect source MAC address. -
The bond is usually not expected to get IP addresses from a DHCP server or IPv6 auto-configuration. Ensure it by setting the
ipv4.method=disable
andipv6.method=ignore
options while creating the bond. Otherwise, if DHCP or IPv6 auto-configuration fails after some time, the interface might be brought down.
- The switch the host is connected to is configured to support VLAN tags. For details, see the documentation of your switch.
Procedure
Display the network interfaces:
# nmcli device status DEVICE TYPE STATE CONNECTION enp1s0 ethernet disconnected enp1s0 bridge0 bridge connected bridge0 bond0 bond connected bond0 ...
Create the VLAN interface. For example, to create a VLAN interface named
vlan10
that usesenp1s0
as its parent interface and that tags packets with VLAN ID10
, enter:# nmcli connection add type vlan con-name vlan10 ifname vlan10 vlan.parent enp1s0 vlan.id 10
Note that the VLAN must be within the range from
0
to4094
.By default, the VLAN connection inherits the maximum transmission unit (MTU) from the parent interface. Optionally, set a different MTU value:
# nmcli connection modify vlan10 ethernet.mtu 2000
Configure the IP settings of the VLAN device. Skip this step if you want to use this VLAN device as a port of other devices.
Configure the IPv4 settings. For example, to set a static IPv4 address, network mask, default gateway, and DNS server to the
vlan10
connection, enter:# nmcli connection modify vlan10 ipv4.addresses '192.0.2.1/24' # nmcli connection modify vlan10 ipv4.gateway '192.0.2.254' # nmcli connection modify vlan10 ipv4.dns '192.0.2.253' # nmcli connection modify vlan10 ipv4.method manual
Configure the IPv6 settings. For example, to set a static IPv6 address, network mask, default gateway, and DNS server to the
vlan10
connection, enter:# nmcli connection modify vlan10 ipv6.addresses '2001:db8:1::1/32' # nmcli connection modify vlan10 ipv6.gateway '2001:db8:1::fffe' # nmcli connection modify vlan10 ipv6.dns '2001:db8:1::fffd' # nmcli connection modify vlan10 ipv6.method manual
Activate the connection:
# nmcli connection up vlan10
Verification steps
Verify the settings:
# ip -d addr show vlan10 4: vlan10@enp1s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000 link/ether 52:54:00:72:2f:6e brd ff:ff:ff:ff:ff:ff promiscuity 0 vlan protocol 802.1Q id 10 <REORDER_HDR> numtxqueues 1 numrxqueues 1 gso_max_size 65536 gso_max_segs 65535 inet 192.0.2.1/24 brd 192.0.2.255 scope global noprefixroute vlan10 valid_lft forever preferred_lft forever inet6 2001:db8:1::1/32 scope global noprefixroute valid_lft forever preferred_lft forever inet6 fe80::8dd7:9030:6f8e:89e6/64 scope link noprefixroute valid_lft forever preferred_lft forever
Additional resources
- Testing basic network settings.
- Configuring NetworkManager to avoid using a specific profile to provide a default gateway.
-
nmcli-examples(7)
man page -
The
vlan setting
section in thenm-settings(5)
man page
8.2. Configuring VLAN tagging using nm-connection-editor
This section describes how to configure Virtual Local Area Network (VLAN) tagging using the nm-connection-editor
application.
Prerequisites
- The interface you plan to use as a parent to the virtual VLAN interface supports VLAN tags.
If you configure the VLAN on top of a bond interface:
- The ports of the bond are up.
-
The bond is not configured with the
fail_over_mac=follow
option. A VLAN virtual device cannot change its MAC address to match the parent’s new MAC address. In such a case, the traffic would still be sent with the then incorrect source MAC address.
- The switch the host is connected to is configured to support VLAN tags. For details, see the documentation of your switch.
Procedure
Open a terminal, and enter
nm-connection-editor
:$
nm-connection-editor
- Click the + button to add a new connection.
-
Select the
VLAN
connection type, and click Create. On the
VLAN
tab:- Select the parent interface.
-
Select the VLAN id. Note that the VLAN must be within the range from
0
to4094
. - By default, the VLAN connection inherits the maximum transmission unit (MTU) from the parent interface. Optionally, set a different MTU value.
Optionally, set the name of the VLAN interface and further VLAN-specific options.
Configure the IP settings of the VLAN device. Skip this step if you want to use this VLAN device as a port of other devices.
-
On the
IPv4 Settings
tab, configure the IPv4 settings. For example, set a static IPv4 address, network mask, default gateway, and DNS server: -
On the
IPv6 Settings
tab, configure the IPv6 settings. For example, set a static IPv6 address, network mask, default gateway, and DNS server:
-
On the
- Click Save to save the VLAN connection.
-
Close
nm-connection-editor
.
Verification steps
Verify the settings:
# ip -d addr show vlan10 4: vlan10@enp1s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000 link/ether 52:54:00:d5:e0:fb brd ff:ff:ff:ff:ff:ff promiscuity 0 vlan protocol 802.1Q id 10 <REORDER_HDR> numtxqueues 1 numrxqueues 1 gso_max_size 65536 gso_max_segs 65535 inet 192.0.2.1/24 brd 192.0.2.255 scope global noprefixroute vlan10 valid_lft forever preferred_lft forever inet6 2001:db8:1::1/32 scope global noprefixroute valid_lft forever preferred_lft forever inet6 fe80::8dd7:9030:6f8e:89e6/64 scope link noprefixroute valid_lft forever preferred_lft forever
8.3. Configuring VLAN tagging using nmstatectl
This section describes how to use the nmstatectl
utility to configure a VLAN with ID 10 that uses an Ethernet connection. As the child device, the VLAN connection contains the IP, default gateway, and DNS configurations.
Depending on your environment, adjust the YAML file accordingly. For example, to use a bridge, or bond device in the VLAN, adapt the base-iface
attribute and type
attributes of the ports you use in the VLAN.
Prerequisites
- To use Ethernet devices as ports in the VLAN, the physical or virtual Ethernet devices must be installed on the server.
-
The
nmstate
package is installed.
Procedure
Create a YAML file, for example
~/create-vlan.yml
, with the following contents:--- interfaces: - name: vlan10 type: vlan state: up ipv4: enabled: true address: - ip: 192.0.2.1 prefix-length: 24 dhcp: false ipv6: enabled: true address: - ip: 2001:db8:1::1 prefix-length: 64 autoconf: false dhcp: false vlan: base-iface: enp1s0 id: 10 - name: enp1s0 type: ethernet state: up routes: config: - destination: 0.0.0.0/0 next-hop-address: 192.0.2.254 next-hop-interface: vlan10 - destination: ::/0 next-hop-address: 2001:db8:1::fffe next-hop-interface: vlan10 dns-resolver: config: search: - example.com server: - 192.0.2.200 - 2001:db8:1::ffbb
Apply the settings to the system:
# nmstatectl apply ~/create-vlan.yml
Verification steps
Display the status of the devices and connections:
# nmcli device status DEVICE TYPE STATE CONNECTION vlan10 vlan connected vlan10
Display all settings of the connection profile:
# nmcli connection show vlan10 connection.id: vlan10 connection.uuid: 1722970f-788e-4f81-bd7d-a86bf21c9df5 connection.stable-id: -- connection.type: vlan connection.interface-name: vlan10 ...
Display the connection settings in YAML format:
# nmstatectl show vlan0
Additional resources
-
nmstatectl(8)
man page -
/usr/share/doc/nmstate/examples/
8.4. Configuring VLAN tagging using RHEL System Role
You can use the Networking RHEL System Role to configure VLAN tagging. This procedure describes how to add an Ethernet connection and a VLAN with ID 10
on top of this Ethernet connection. As the child device, the VLAN connection contains the IP, default gateway, and DNS configurations.
Depending on your environment, adjust the play accordingly. For example:
-
To use the VLAN as a port in other connections, such as a bond, omit the
ip
attribute, and set the IP configuration in the child configuration. -
To use team, bridge, or bond devices in the VLAN, adapt the
interface_name
andtype
attributes of the ports you use in the VLAN.
Prerequisites
-
The
ansible-core
andrhel-system-roles
packages are installed on the control node. -
If you use a different remote user than
root
when you run the playbook, this user has appropriatesudo
permissions on the managed node.
Procedure
If the host on which you want to execute the instructions in the playbook is not yet inventoried, add the IP or name of this host to the
/etc/ansible/hosts
Ansible inventory file:node.example.com
Create the
~/vlan-ethernet.yml
playbook with the following content:--- - name: Configure a VLAN that uses an Ethernet connection hosts: node.example.com become: true tasks: - include_role: name: rhel-system-roles.network vars: network_connections: # Add an Ethernet profile for the underlying device of the VLAN - name: enp1s0 type: ethernet interface_name: enp1s0 autoconnect: yes state: up ip: dhcp4: no auto6: no # Define the VLAN profile - name: enp1s0.10 type: vlan ip: address: - "192.0.2.1/24" - "2001:db8:1::1/64" gateway4: 192.0.2.254 gateway6: 2001:db8:1::fffe dns: - 192.0.2.200 - 2001:db8:1::ffbb dns_search: - example.com vlan_id: 10 parent: enp1s0 state: up
The
parent
attribute in the VLAN profile configures the VLAN to operate on top of theenp1s0
device.Run the playbook:
To connect as
root
user to the managed host, enter:# ansible-playbook -u root ~/vlan-ethernet.yml
To connect as a user to the managed host, enter:
# ansible-playbook -u user_name --ask-become-pass ~/vlan-ethernet.yml
The
--ask-become-pass
option makes sure that theansible-playbook
command prompts for thesudo
password of the user defined in the-u user_name
option.
If you do not specify the
-u user_name
option,ansible-playbook
connects to the managed host as the user that is currently logged in to the control node.
Additional resources
-
/usr/share/ansible/roles/rhel-system-roles.network/README.md
file -
ansible-playbook(1)
man page