VLAN Configuration

VLAN Configuration

VLANs (Virtual Local Area Networks) segment a physical network into isolated logical networks. A server with a single NIC connected to a trunk port can communicate on multiple VLANs by tagging packets with the 802.1Q VLAN ID. This is common in data centers where you need management, storage, and application traffic on separate networks through one physical connection.

What is a VLAN?

Physical setup:
  Server NIC ── [Trunk port] ── Switch ── [Access ports per VLAN]
                                  │
                     VLAN 10 (Management): 10.0.10.0/24
                     VLAN 20 (Production): 10.0.20.0/24
                     VLAN 30 (Storage):    10.0.30.0/24

On the server, you create a VLAN sub-interface for each VLAN:
  ens3        → physical interface (no IP usually)
  ens3.10     → VLAN 10 interface (10.0.10.5/24)
  ens3.20     → VLAN 20 interface (10.0.20.5/24)
  ens3.30     → VLAN 30 interface (10.0.30.5/24)

802.1Q VLAN tagging

When a packet leaves the server on a VLAN interface, the kernel adds a 4-byte 802.1Q tag to the Ethernet frame containing the VLAN ID. The switch reads this tag and forwards the packet on the correct VLAN. The switch must have the server’s port configured as a trunk port (passes multiple VLANs) for this to work.

⚠️ WARNING: VLAN configuration requires corresponding switch configuration. A VLAN interface on the server will silently fail if the switch port is not configured as a trunk port with those VLAN IDs allowed. Always coordinate VLAN changes with your switch/network administrator.

Configuring VLANs in Netplan

sudo nano /etc/netplan/00-vlans.yaml

VLAN configuration

network:
  version: 2
  ethernets:
    ens3:
      dhcp4: false    # Physical interface: no IP directly

  vlans:
    vlan10:
      id: 10
      link: ens3
      dhcp4: false
      addresses: [10.0.10.5/24]
      routes:
        - to: default
          via: 10.0.10.1      # Default gateway on management VLAN
      nameservers:
        addresses: [10.0.10.53]

    vlan20:
      id: 20
      link: ens3
      dhcp4: false
      addresses: [10.0.20.5/24]
      # No default route here — only management VLAN has default route

    vlan30:
      id: 30
      link: ens3
      dhcp4: false
      addresses: [10.0.30.5/24]

sudo netplan try
sudo netplan apply

VLANs on bonded interfaces

# Real-world setup: LACP bond + VLANs (common in data centers)
network:
  version: 2
  ethernets:
    ens3:
      dhcp4: false
    ens4:
      dhcp4: false
  bonds:
    bond0:
      interfaces: [ens3, ens4]
      parameters:
        mode: 802.3ad
      dhcp4: false
  vlans:
    vlan10:
      id: 10
      link: bond0    # VLAN on top of bond
      addresses: [10.0.10.5/24]
    vlan20:
      id: 20
      link: bond0
      addresses: [10.0.20.5/24]

Verifying VLAN configuration

# Show VLAN interfaces
ip addr show | grep -E "vlan|@"

# Show the VLAN ID and parent link
cat /proc/net/vlan/config

ip addr show with VLAN interfaces

3: vlan10@ens3:  mtu 1500 qdisc noqueue
    link/ether 52:54:00:12:34:56 brd ff:ff:ff:ff:ff:ff
    inet 10.0.10.5/24 brd 10.0.10.255 scope global vlan10

4: vlan20@ens3:  mtu 1500 qdisc noqueue
    link/ether 52:54:00:12:34:56 brd ff:ff:ff:ff:ff:ff
    inet 10.0.20.5/24 brd 10.0.20.255 scope global vlan20

# Test connectivity on each VLAN
ping -c 3 -I vlan10 10.0.10.1    # -I forces source interface
ping -c 3 -I vlan20 10.0.20.1

Conclusion

VLAN sub-interfaces let a server participate in multiple isolated networks over a single trunk port. The kernel naming convention INTERFACE.VLANID (e.g., ens3.10) is conventional but Netplan uses arbitrary names (vlan10). Always configure only one default route (usually on the management VLAN). Verify with ip addr show that each VLAN interface has an address and is UP, then test connectivity on each VLAN with ping -I vlanX GATEWAY.