How to Configure VLAN Tagging on FreeBSD

Virtual Local Area Networks (VLANs) are a fundamental networking technology that allows network administrators to create logically separate networks on a single physical infrastructure. VLAN tagging, specifically the IEEE 802.1Q standard, enables traffic separation by adding tags to Ethernet frames to identify which VLAN they belong to. FreeBSD, known for its robust networking capabilities, provides comprehensive support for VLAN configuration through both command-line utilities and persistent configuration files.

This article will guide you through the process of configuring VLAN tagging on FreeBSD systems, covering both temporary and permanent configurations, troubleshooting common issues, and exploring advanced VLAN scenarios.

Understanding VLAN Fundamentals

Before diving into the configuration process, it’s important to understand some key concepts:

• VLAN ID: A number between 1 and 4094 that uniquely identifies a VLAN
• VLAN Interface: A virtual network interface that represents a VLAN on a physical network interface
• Parent Interface: The physical network interface that carries the VLAN traffic
• 802.1Q: The IEEE standard that defines VLAN tagging, allowing multiple VLANs to share the same physical network

VLANs offer several benefits:

• Network segmentation without additional hardware
• Improved security through traffic isolation
• Reduced broadcast traffic
• Simplified network management
• Flexible network design

Prerequisites

Before configuring VLANs on FreeBSD, ensure you have:

• Administrative (root) access to the FreeBSD system
• A compatible network interface card that supports VLAN tagging
• Basic understanding of FreeBSD networking concepts
• Network details such as VLAN IDs, IP addresses, and subnet masks
• Physical connectivity to the network switch that supports VLAN tagging

Checking Hardware Compatibility

First, verify that your network interface supports VLAN tagging:

ifconfig -a

Look for interfaces like em0, igb0, re0, etc. Most modern network cards support VLAN tagging, but it’s good to confirm.

To check if your kernel supports VLAN:

sysctl net.link.vlan

If this returns values, your kernel supports VLAN functionality.

Creating VLAN Interfaces Temporarily

For testing or temporary configurations, you can create VLAN interfaces using the ifconfig command:

ifconfig vlan0 create vlan 100 vlandev em0 up

This command:

• Creates a VLAN interface named vlan0
• Assigns VLAN ID 100 to this interface
• Associates it with the physical interface em0
• Brings the interface up

To assign an IP address to this VLAN interface:

ifconfig vlan0 inet 192.168.100.1 netmask 255.255.255.0

Configuring VLAN Interfaces Permanently

For persistent VLAN configuration across system reboots, you need to modify the /etc/rc.conf file:

ee /etc/rc.conf

Add the following lines to configure a VLAN interface:

# VLAN configuration for em0
vlans_em0="vlan100 vlan200"
create_args_vlan100="vlan 100 vlandev em0"
ifconfig_vlan100="inet 192.168.100.1 netmask 255.255.255.0"
create_args_vlan200="vlan 200 vlandev em0"
ifconfig_vlan200="inet 192.168.200.1 netmask 255.255.255.0"

This configuration:

• Creates two VLAN interfaces (vlan100 and vlan200) on the em0 physical interface
• Assigns VLAN IDs 100 and 200 respectively
• Configures IP addresses for each VLAN interface

After adding these lines, you can either reboot the system or manually create the VLAN interfaces:

service netif restart

Naming VLAN Interfaces

FreeBSD provides flexibility in naming VLAN interfaces. You can use either:

1. Generic names: vlan0, vlan1, etc.
2. VLAN ID-based names: vlan100, vlan200, etc.

Using VLAN ID-based names is generally more intuitive and helps identify the VLAN purpose at a glance.

To create a VLAN interface with a specific name:

# Temporary configuration
ifconfig vlan100 create vlan 100 vlandev em0

# Permanent configuration in /etc/rc.conf
vlans_em0="vlan100"
create_args_vlan100="vlan 100 vlandev em0"
ifconfig_vlan100="inet 192.168.100.1 netmask 255.255.255.0"

Configuring Multiple VLANs on a Single Interface

FreeBSD allows you to configure multiple VLANs on a single physical interface:

# In /etc/rc.conf
vlans_em0="vlan100 vlan200 vlan300"
create_args_vlan100="vlan 100 vlandev em0"
ifconfig_vlan100="inet 192.168.100.1 netmask 255.255.255.0"
create_args_vlan200="vlan 200 vlandev em0"
ifconfig_vlan200="inet 192.168.200.1 netmask 255.255.255.0"
create_args_vlan300="vlan 300 vlandev em0"
ifconfig_vlan300="inet 192.168.300.1 netmask 255.255.255.0"

Configuring VLAN Interfaces with DHCP

If you want to use DHCP for IP address assignment on a VLAN interface:

# In /etc/rc.conf
vlans_em0="vlan100"
create_args_vlan100="vlan 100 vlandev em0"
ifconfig_vlan100="DHCP"

Configuring VLAN QoS Priority

VLAN configuration in FreeBSD also supports setting Quality of Service (QoS) priorities:

# Temporary configuration
ifconfig vlan100 vlanpcp 5

# Permanent configuration in /etc/rc.conf
vlans_em0="vlan100"
create_args_vlan100="vlan 100 vlandev em0 vlanpcp 5"
ifconfig_vlan100="inet 192.168.100.1 netmask 255.255.255.0"

The vlanpcp parameter sets the VLAN priority code point (PCP) from 0 to 7, with higher values indicating higher priority.

Configuring VLAN Interfaces with IPv6

FreeBSD supports IPv6 on VLAN interfaces:

# Temporary configuration
ifconfig vlan100 inet6 2001:db8:100::1 prefixlen 64

# Permanent configuration in /etc/rc.conf
vlans_em0="vlan100"
create_args_vlan100="vlan 100 vlandev em0"
ifconfig_vlan100="inet 192.168.100.1 netmask 255.255.255.0 inet6 2001:db8:100::1 prefixlen 64"

Configuring VLAN on Aggregated Interfaces (LAGG)

For high availability and increased bandwidth, you can configure VLANs on link aggregation (LAGG) interfaces:

# In /etc/rc.conf
# First, configure LAGG
cloned_interfaces="lagg0"
ifconfig_igb0="up"
ifconfig_igb1="up"
ifconfig_lagg0="laggproto lacp laggport igb0 laggport igb1"

# Then, configure VLANs on the LAGG interface
vlans_lagg0="vlan100 vlan200"
create_args_vlan100="vlan 100 vlandev lagg0"
ifconfig_vlan100="inet 192.168.100.1 netmask 255.255.255.0"
create_args_vlan200="vlan 200 vlandev lagg0"
ifconfig_vlan200="inet 192.168.200.1 netmask 255.255.255.0"

Removing VLAN Interfaces

To temporarily remove a VLAN interface:

ifconfig vlan100 destroy

For permanent removal, edit /etc/rc.conf and remove the corresponding VLAN configuration lines, then restart the network service or reboot.

Monitoring VLAN Traffic

To monitor VLAN traffic, you can use various FreeBSD tools:

1. tcpdump - Capture and analyze packets:

   tcpdump -i vlan100 -n
   

2. netstat - Network statistics:

   netstat -I vlan100 -w 1
   

3. systat - System statistics:

   systat -ifstat
   

Troubleshooting VLAN Issues

Common Issues and Solutions

1. VLAN interface doesn’t come up:

   • Check if the physical interface is up: ifconfig em0
   • Verify VLAN support in your kernel: sysctl net.link.vlan
   • Ensure your switch port is configured for the correct VLAN

2. No connectivity on VLAN interface:

   • Verify IP address configuration: ifconfig vlan100
   • Check routing: netstat -rn
   • Test connectivity with ping: ping -c 3 192.168.100.254

3. VLAN interface exists but no traffic passes:

   • Verify switch configuration for VLAN tagging
   • Check that the VLAN ID matches on both the FreeBSD host and switch
   • Use tcpdump to see if packets are being sent/received: tcpdump -i vlan100 -n

Debugging Tools

1. Enable VLAN debugging:

   sysctl net.link.vlan.debug=1
   

2. Check system logs:

   tail -f /var/log/messages
   

3. View VLAN interfaces information:

   ifconfig | grep vlan
   

Advanced VLAN Configurations

VLAN Trunking

VLAN trunking allows multiple VLANs to share a single physical connection. In FreeBSD, you can configure a trunk interface to carry multiple VLANs:

# In /etc/rc.conf
ifconfig_em0="up"  # Configure the physical interface as a trunk
vlans_em0="vlan100 vlan200 vlan300"  # Configure multiple VLANs on the trunk

VLAN with PF Firewall

FreeBSD’s PF firewall can be configured to filter traffic based on VLAN interfaces:

# In /etc/pf.conf
# Allow traffic on VLAN 100 but block on VLAN 200
pass in on vlan100 all
block in on vlan200 all

Nested VLANs (QinQ)

FreeBSD supports IEEE 802.1ad (QinQ) for nested VLANs:

# Create the outer VLAN (Service VLAN)
ifconfig vlan100 create vlan 100 vlandev em0

# Create the inner VLAN (Customer VLAN) on top of the outer VLAN
ifconfig vlan200 create vlan 200 vlandev vlan100
ifconfig vlan200 inet 192.168.200.1 netmask 255.255.255.0

In /etc/rc.conf:

vlans_em0="vlan100"
create_args_vlan100="vlan 100 vlandev em0"
ifconfig_vlan100="up"

vlans_vlan100="vlan200"
create_args_vlan200="vlan 200 vlandev vlan100"
ifconfig_vlan200="inet 192.168.200.1 netmask 255.255.255.0"

Security Considerations

When implementing VLANs on FreeBSD, consider these security best practices:

1. Use separate VLANs for different security domains
2. Implement firewall rules between VLANs
3. Disable unused VLAN interfaces
4. Regularly audit VLAN configurations
5. Use strong authentication for management access

Conclusion

VLAN tagging in FreeBSD provides a powerful and flexible way to segment networks, improve security, and optimize network resources. By following the configuration steps outlined in this article, you can effectively implement VLANs in your FreeBSD environment.

Remember that VLAN tagging is only one part of a comprehensive network design. It should be implemented alongside other security measures like firewalls, access controls, and encryption to create a robust and secure network infrastructure.

FreeBSD’s implementation of VLANs is mature and well-tested, making it an excellent choice for environments that require reliable network segmentation. Whether you’re setting up a small office network or a complex enterprise environment, FreeBSD’s VLAN capabilities can help you create a well-structured and secure network architecture.

For more detailed information, consult the FreeBSD Handbook and man pages for ifconfig and vlan.