Linux 802.1q VLAN Trunking

Overview

802.1q is a standard that supports VLAN tagging on an ethernet network.

This article will explain how to configure a switchport on a Cisco switch for vlan tagging, as well as how to configure an Ubuntu linux server for 802.1q (vlan) tagging.

Cisco Setup

All I am doing here is trunking one interface (G2/0/18) and restricting access to two vlans (101 and 102).

switch#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
switch01(config)#interface G1/0/18
switch01(config-if)#switchport trunk encapsulation dot1q
switch01(config-if)#switchport mode trunk
switch01(config-if)#switchport trunk allowed vlan 101,102
switch01(config-if)#exit
switch01(config)#exit
switch01#show running-config interface G1/0/18
Building configuration...

Current configuration : 167 bytes
!
interface GigabitEthernet1/0/18
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 101,102
 switchport mode trunk
end

switch01#

Linux Setup

1. Add the 8021q module to the kernel

   # modprobe 8021q

2. Add the module to the /etc/modules file, so that it loads at next startup

   # echo 8021q >> /etc/modules

3. Install the appropriate package

   # apt-get install vlan

4. Configure the network. In my example, eth0 is connected to the trunk port on a Cisco switch, with vlans 101 and 102 trunked. eth1 is connected to a separate network and switch.

   # cat /etc/network/interfaces.
   
   auto eth0.101
   iface eth0.101 inet static
   	address 172.17.101.9
   	netmask 255.255.255.0
   	network 172.17.101.0
   	broadcast 172.17.101.255
   	gateway 172.17.101.1
   	vlan_raw_device eth0
   
   auto eth0.102
   iface eth0.102 inet static
   	address 172.17.102.9
   	netmask 255.255.255.0
   	network 172.17.102.0
   	broadcast 172.17.102.255
   	vlan_raw_device eth0
   
   auto eth1
   iface eth1 inet static
   	address 172.17.100.9
   	netmask 255.255.255.0
   	network 172.17.100.0
   	broadcast 172.17.100.255

5. Restart networking. I came across inconsistent results by using /etc/init.d/networking restart and the ifup and ifdown commands. While your mileage may vary, I just rebooted the box.
6. Make sure things are working. As you can see, eth0 does not have an ip address, while the vlan interfaces, eth0.101 and eth0.102, do.

   kmjohnson@squid:~$ ifconfig
   eth0      Link encap:Ethernet  HWaddr 14:fe:b5:2c:15:86
             inet6 addr: fe80::16fe:b5ff:fe2c:1586/64 Scope:Link
             UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
             RX packets:23763 errors:0 dropped:0 overruns:0 frame:0
             TX packets:10485 errors:0 dropped:0 overruns:0 carrier:0
             collisions:0 txqueuelen:1000
             RX bytes:3481376 (3.4 MB)  TX bytes:2500480 (2.5 MB)
             Interrupt:36 Memory:d6000000-d6012800 
   
   eth1      Link encap:Ethernet  HWaddr 14:fe:b5:2c:15:88
             inet addr:172.17.100.9  Bcast:172.17.100.255  Mask:255.255.255.0
             inet6 addr: fe80::16fe:b5ff:fe2c:1588/64 Scope:Link
             UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
             RX packets:973 errors:0 dropped:0 overruns:0 frame:0
             TX packets:257 errors:0 dropped:0 overruns:0 carrier:0
             collisions:0 txqueuelen:1000
             RX bytes:75737 (75.7 KB)  TX bytes:29086 (29.0 KB)
             Interrupt:48 Memory:d8000000-d8012800 
   
   eth0.101  Link encap:Ethernet  HWaddr 14:fe:b5:2c:15:86
             inet addr:172.17.101.9  Bcast:172.17.101.255  Mask:255.255.255.0
             inet6 addr: fe80::16fe:b5ff:fe2c:1586/64 Scope:Link
             UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
             RX packets:17260 errors:0 dropped:0 overruns:0 frame:0
             TX packets:10350 errors:0 dropped:4 overruns:0 carrier:0
             collisions:0 txqueuelen:0
             RX bytes:2445291 (2.4 MB)  TX bytes:2400114 (2.4 MB)
   
   eth0.102  Link encap:Ethernet  HWaddr 14:fe:b5:2c:15:86
             inet addr:172.17.102.9  Bcast:172.17.102.255  Mask:255.255.255.0
             inet6 addr: fe80::16fe:b5ff:fe2c:1586/64 Scope:Link
             UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
             RX packets:6503 errors:0 dropped:0 overruns:0 frame:0
             TX packets:101 errors:0 dropped:3 overruns:0 carrier:0
             collisions:0 txqueuelen:0
             RX bytes:513299 (513.2 KB)  TX bytes:8438 (8.4 KB)
   
   lo        Link encap:Local Loopback
             inet addr:127.0.0.1  Mask:255.0.0.0
             inet6 addr: ::1/128 Scope:Host
             UP LOOPBACK RUNNING  MTU:16436  Metric:1
             RX packets:277 errors:0 dropped:0 overruns:0 frame:0
             TX packets:277 errors:0 dropped:0 overruns:0 carrier:0
             collisions:0 txqueuelen:0
             RX bytes:25230 (25.2 KB)  TX bytes:25230 (25.2 KB)
   
   kmjohnson@squid:~$ ping 172.17.101.1
   PING 172.17.101.1 (172.17.101.1) 56(84) bytes of data.
   64 bytes from 172.17.101.1: icmp_seq=1 ttl=64 time=0.124 ms
   ^C
   --- 172.17.101.1 ping statistics ---
   1 packets transmitted, 1 received, 0% packet loss, time 0ms
   rtt min/avg/max/mdev = 0.124/0.124/0.124/0.000 ms
   kmjohnson@squid:~$ ping 172.17.102.1
   PING 172.17.102.1 (172.17.102.1) 56(84) bytes of data.
   64 bytes from 172.17.102.1: icmp_seq=1 ttl=64 time=9.39 ms
   ^C
   --- 172.17.102.1 ping statistics ---
   1 packets transmitted, 1 received, 0% packet loss, time 0ms
   rtt min/avg/max/mdev = 9.391/9.391/9.391/0.000 ms
   kmjohnson@squid:~$

Issues

I ran into an issue where when connecting to an interface that did not have a gateway defined (eth0.102), the packet was being dropped by the kernel. To fix this, the following two lines were needed in /etc/sysctl.conf:

net.ipv4.conf.default.rp_filter=0
net.ipv4.conf.all.rp_filter=0