Introduction
VLANs make it possible to separate large networks into smaller and manageable ones. The 802.1Q is a standard which is implemented by all vendors into their network equipment. Some switches have the ability to assign multiple VLANs to a single network port. With this feature, you can assign multiple VLANs to a single server. The switch can separate the packages because every Ethernet frame is tagged with the VLA
Prerequisites
- The network switch your server is connected to must be set up for a successful procedure
- The switch should support VLAN tagging
- You must be logged in via SSH as sudo or root user. This tutorial assumes that you are logged in as a sudo user.
Step 1 – Log in using SSH
You must be logged in via SSH as sudo or root user. Please view this article for instructions if you don’t know how to connect.
Step 2 – Install dependency
sudo apt-get install vlan
Step 3 – Create network routes
Edit the following file in order to allow multiple VLANs on your server to create routing tables.
sudo nano /etc/iproute2/rt_tables
Add the following lines.
500 firsttable 501 secondtable
Step 4 – Find the active network interface
clear && echo $(ip -o -4 route get 8.8.8.8 | sed -nr 's/.*dev ([^\ ]+).*/\1/p')
Step 5 – Configure the network interface
In our example our network interface is eth0. Our article will use eth0 but you have to use the network interface name from step 4.
Edit your network configuration.
sudo nano /etc/network/interfaces
Remove the following lines.
# The primary network interface
allow-hotplug eth0
iface eth0 inet static
address 89.207.131.20/24
gateway 89.207.131.1
# dns-* options are implemented by the resolvconf package, if installed
dns-nameservers 89.207.128.252 89.207.130.252
dns-search snel.comConfigure the first VLAN 453.
auto eth0.453
iface eth0.453 inet static
address 89.207.131.20
netmask 255.255.255.0
dns-nameservers 89.207.128.252 89.207.130.252
dns-search snel.com
post-up ip route add 89.207.131.0/24 dev eth0.453 src 89.207.131.1 table firsttable
post-up ip route add default via 89.207.131.1 dev eth0.453 table firsttable
post-up ip rule add from 89.207.131.0/24 table firsttable
post-up ip rule add to 89.207.131.0/24 table firsttableConfigure the second VLAN 3047.
auto eth0.3047
iface eth0.3047 inet static
address 78.41.207.45
netmask 255.255.255.0
post-up ip route add 78.41.207.0/24 dev eth0.3047 src 78.41.207.45 table secondtable
post-up ip route add default via 78.41.207.1 dev eth0.3047 table secondtable
post-up ip rule add from 78.41.207.0/24 table secondtable
post-up ip rule add to 78.41.207.0/24 table secondtable
Step 6 – Configure sysctl
Enable packet forwarding on the server by creating the following file.
sudo nano /etc/sysctl.d/90-override.conf
Add the following line.
net.ipv4.ip_forward=1
Enable reverse path and arp filtering.
net.ipv4.conf.all.arp_filter=0 net.ipv4.conf.all.rp_filter=2
Apply the changes.
sudo sysctl -p /etc/sysctl.d/90-override.conf
Step 7 – Restart the server
sudo reboot
Step 8 – Test IP addresses
Ping from your workstation to check if the IPs are active.
ping 78.41.207.45
ping 89.207.131.20
Step 9 – Test IP address on Server
Check if the packets are using the right VLAN to leave the server
Perform a ping from eth0.3047 to check if it’s using the right VLAN to communicate with the destination IP address.
ping -I eth0.3047 8.8.8.8
Output
PING 8.8.8.8 (8.8.8.8) from 78.41.207.45 eth0.3047: 56(84) bytes of data. 64 bytes from 8.8.8.8: icmp_seq=1 ttl=122 time=2.03 ms 64 bytes from 8.8.8.8: icmp_seq=2 ttl=122 time=2.13 ms 64 bytes from 8.8.8.8: icmp_seq=3 ttl=122 time=2.21 ms 64 bytes from 8.8.8.8: icmp_seq=4 ttl=122 time=2.06 ms ^C --- 8.8.8.8 ping statistics --- 4 packets transmitted, 4 received, 0% packet loss, time 3080ms rtt min/avg/max/mdev = 2.038/2.113/2.217/0.089 ms
Perform a ping from eth0.453
ping -I eth0.453 8.8.8.8
Output
PING 8.8.8.8 (8.8.8.8) from 89.207.131.20 eth0.453: 56(84) bytes of data. 64 bytes from 8.8.8.8: icmp_seq=1 ttl=123 time=2.26 ms 64 bytes from 8.8.8.8: icmp_seq=2 ttl=123 time=2.37 ms 64 bytes from 8.8.8.8: icmp_seq=3 ttl=123 time=2.44 ms ^C --- 8.8.8.8 ping statistics --- 3 packets transmitted, 3 received, 0% packet loss, time 2756ms rtt min/avg/max/mdev = 2.266/2.360/2.444/0.073 ms
Conclusion
Congratulations, you have now configured a server which listens to two VLANs with two gateways. VLAN tagging is not limited to two VLANs, multiple VLANs are supported. You have to add each VLAN according to the network configuration of that VLAN.
Can I use the same physical interface ETH0 to forward/route packages to the ISP from both vlans (VLAN 1 and VLAN 100)?
my setup:
SW_VLAN_100—->MAIN_SWitch_VLAN1_and_VLAN100—–>Debian_DHCP_SERVER—->ISP
^
|
otherSwitch_VLAN_1 ——-|
With the correct hardware this is possible. Both the SW_VLAN_100 and MAIN_SWitch_VLAN1_and_VLAN100 should be a managed switch which supports 802.1Q VLAN Tagging and you should configure the MAIN_SWitch_VLAN1_and_VLAN100 and SW_VLAN_100 uplinks (tagged in both VLAN 1 and VLAN 100) correctly.