VLAN (Virtual Local Area Network) is a network technology that allows for traffic segmentation in your network by dividing a physical network into logical groups. This will result in network security and efficiency as it prevents communication between VLANs unless it is specifically allowed. VLANs work by utilizing IEEE 802.1Q networking standard, this is also known as dot1q.

VLANs are widely used in office department network partitioning, Guest WiFi traffic isolation, VoIP traffic prioritization, securing IoT devices among many other applications. Before you configure VLAN in your network infrastructure, ensure the network switch in use has support for VLAN tagging (802.1Q). The process of checking support for VLANs will vary from one vendor to another. I will recommend you consult official switch vendor documentation for more.

Setup Prerequisites

To configure a VLAN network interface in your Ubuntu or Debian system, you will need the following information.

  • Access to your Ubuntu system as root or user with sudo privileges.
  • Identify the physical network interface name – this can be Ethernet or WiFi interface name
  • Have a known VLAN ID to be configured for your network.

Login to your server and install the vlan package.

sudo apt update && sudo apt install vlan

For hosts used in Virtualization enable the following settings in sysctl.

echo "net.ipv4.ip_forward=1" | sudo tee -a /etc/sysctl.conf
echo "net.ipv4.conf.all.arp_filter=0" | sudo tee -a /etc/sysctl.conf
echo "net.ipv4.conf.all.rp_filter=2" | sudo tee -a /etc/sysctl.conf

Load configurations after adding them to the file.

$ sudo sysctl -p
net.ipv4.ip_forward = 1
net.ipv4.conf.all.arp_filter = 0
net.ipv4.conf.all.rp_filter = 2

Create VLAN interface on Ubuntu

We begin by loading the kernel module that provides VLAN support. This is done by issuing the following command in the terminal.

sudo modprobe 8021q

You can print extra information about the module using the modinfo command.

$ sudo modinfo 8021q
filename:       /lib/modules/6.1.0-18-amd64/kernel/net/8021q/8021q.ko
version:        1.8
license:        GPL
alias:          rtnl-link-vlan
srcversion:     686DDAC35CEE6EFE0A30ADC
depends:        mrp,garp
retpoline:      Y
intree:         Y
name:           8021q
vermagic:       6.1.0-18-amd64 SMP preempt mod_unload modversions
sig_id:         PKCS#7
signer:         Debian Secure Boot CA
sig_key:        32:A0:28:7F:84:1A:03:6F:A3:93:C1:E0:65:C4:3A:E6:B2:42:26:43
sig_hashalgo:   sha256
signature:      A9:87:F2:68:22:66:F6:4D:A7:FF:C7:97:A3:C4:DA:73:1F:54:8D:EF:
		92:19:E2:5F:35:96:5A:95:29:25:8B:CD:08:FE:35:AC:4F:66:AE:5D:
		42:91:35:0F:AD:34:A6:6C:F3:13:2E:BF:4B:22:46:DB:A3:A8:39:27:
		6E:C6:81:03:24:93:DC:B0:78:E6:76:68:E7:B8:DF:0A:BB:F6:7F:29:
		97:80:E1:16:2D:C1:24:35:6B:6D:77:08:AE:2A:42:A7:D6:FC:9A:79:
		3A:46:29:4E:F1:53:B8:F2:26:AB:B2:7D:A7:4D:3D:4C:2F:35:AA:24:
		63:A6:F3:0A:C1:67:BE:6A:6A:20:1C:75:61:B1:3E:9D:81:5E:76:B8:
		1F:C6:90:66:20:4F:12:94:80:2B:B3:80:CE:64:C7:39:98:7B:9A:F3:
		BC:B0:AB:2B:E0:2F:5F:8C:B8:8E:2B:F3:D5:AE:ED:D8:A7:B8:37:AA:
		CB:C2:D6:7F:9D:68:91:4E:D2:81:8E:48:75:09:71:4E:B9:8A:A7:91:
		42:F0:6C:33:98:CA:01:CC:FD:71:D8:95:DC:A4:74:0D:9C:7F:23:72:
		BF:14:31:42:91:EA:57:F2:7D:4F:FE:25:BD:7A:7D:62:91:AC:89:02:
		3C:10:E9:03:95:35:F5:ED:BF:56:9A:56:0C:7F:88:74

We are considering the three options of doing VLAN configuration.

1) Configure temporary VLAN tagging

This method is usable for testing VLAN functioning on an endpoint. The configurations will not persist if a system is rebooted. We will use the ip command to create a VLAN interface at runtime on our Ubuntu Linux machine.

List network interfaces in your network.

$ sudo ip link  show
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: ens18: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP mode DEFAULT group default qlen 1000
    link/ether bc:24:11:44:e9:6f brd ff:ff:ff:ff:ff:ff
    altname enp0s18
3: ens19: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN mode DEFAULT group default qlen 1000
    link/ether bc:24:11:bc:3f:d4 brd ff:ff:ff:ff:ff:ff
    altname enp0s19

We will use the ip link add command to create a new tagged interface name from a physical interface. You will have to replace the name with your actual interface name and VLAN ID with your VLAN ID.

The syntax is:

sudo ip link add link <interface_name> name <vlan_interface_name> type vlan id <vlan_id>

Here is an example where we are creating a tagged interface named vlan30 with VLAN ID 30 on physical interface ens19:

sudo ip link add link ens19 name vlan30 type vlan id 30

We can now assign an IP address to the VLAN interface.

sudo ip addr add 172.20.30.44/24 dev vlan30

Where:

  • 172.20.30.44 is the IP address
  • /24 is subnet mask == 255.255.255.0
  • vlan30 is VLAN interface name

Bring up the interface.

sudo ip link set dev vlan30 up

If routing is required to use the interface, add gateway to network as required.

sudo ip route add 192.168.89.0 via 172.20.30.1

For a default gateway, we can use.

sudo ip route add default via 172.20.30.1

Confirm network settings configured.

$ ip ad show dev vlan30
5: vlan30@ens19: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether bc:24:11:0c:69:4e brd ff:ff:ff:ff:ff:ff
    inet 172.20.30.44/24 scope global vlan30
       valid_lft forever preferred_lft forever
    inet6 fe80::be24:11ff:fe0c:694e/64 scope link
       valid_lft forever preferred_lft forever

2) Using /etc/network/interfaces file

To persist the changes done in 1), we can edit and put VLAN configurations in the /etc/network/interfaces file.

$ sudo vim /etc/network/interfaces
# Primary interface
auto ens19
iface ens19 inet manual

# Example for VLAN ID 30 on interface 
auto ens19.30
iface ens19.30 inet static
    address 172.20.30.2
    netmask 255.255.255.0
    gateway 172.20.30.1
    dns-nameservers 172.20.30.254

Do substitution of the details given above with your own network settings. When do a restart of your network.

sudo systemctl restart networking

If you are using Linux bridge, you will edit like below.

# Primary interface
auto ens19
iface ens19 inet manual

# Example for VLAN ID 30 on interface 
auto ens19.30
iface ens19.30 inet manual

# Bridge creation
auto br0
iface br0 inet static
 bridge_ports ens19.30
  bridge_stp off         # disable Spanning Tree Protocol
  bridge_waitport 0    # no delay before a port becomes available
  bridge_fd 0             # no forwarding delay
  address 172.20.30.2
  netmask 255.255.255.0
  gateway 172.20.30.1
  dns-nameservers 172.20.30.1

Sample configurations on my machine.

$ ip ad
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host noprefixroute
       valid_lft forever preferred_lft forever
2: ens19: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    link/ether 1c:69:7a:ab:be:de brd ff:ff:ff:ff:ff:ff
    altname enp0s31f6
    inet6 fe80::1e69:7aff:feab:bede/64 scope link
       valid_lft forever preferred_lft forever
3: ens19.30@ens19: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether 1c:69:7a:ab:be:de brd ff:ff:ff:ff:ff:ff
    inet 172.20.30.2/24 brd 172.20.30.255 scope global ens19.30
       valid_lft forever preferred_lft forever
    inet6 fe80::1e69:7aff:feab:bede/64 scope link
       valid_lft forever preferred_lft forever

3) Using netplan

Netplan is a network solution that simplifies management of network interfaces in Ubuntu Linux system. Below is an example on how to configure VLAN interface using Netplan:

Create a new netplan file.

sudo vim /etc/netplan/01-vlan-interface.yaml

Adjust the settings to suit your use case.

network:
  version: 2
  ethernets:
    ens19:
      dhcp4: no
  vlans:
    vlan.30:
      id: 30
      link: ens19
      addresses: [ 172.20.30.2/24 ]
      routes:
       - to: default
         via: 172.20.30.1
      nameservers:
        addresses: [172.20.30.1, 8.8.4.4]

Apply the configurations and activate the interface.

sudo netplan apply

Verify the effect using 

 ip addr show

Conclusion

In this post we have leveraged different methods to have VLAN configured and working on our Ubuntu 24.04 Linux system. You can test the functionality using ping or similar tools to check service access from external devices. Remember to adjust the network details used in this guide in accordance to your network setup. For any issues you encounter following our guide, feel free to reach out to us.

2 COMMENTS

  2. This information is out of date. A fresh install of ubuntu 24.10 is not using the /etc/network/interfaces file to bring up networking anymore.

LEAVE A REPLY

Please enter your comment!
Please enter your name here