2023 - February
Virtual IP
Virtual IP Interface behaves like a normal interface. All traffic routed to it will go through the master interface (for example, eth0) but with a VLAN tag. Only VLAN-aware devices can accept them if configured correctly, else the traffic is dropped.
You can create a Virtual IP address for special routing purposes or security. Normally these are used for server to server connections, or to isolate guest connections.
NetworkD Virtual IP
- Create a file in directory /etc/netplan ending with yaml. They will be processed in numeric/alphabetical order.
File: /etc/netplan/60-vlan-init.yaml
# Remove NetworkManager - add second interface - Don Sept 2019
network:
version: 2
renderer: networkd
# ERROR: vlan1: NetworkManager only supports global scoped routes
#renderer: NetworkManager
ethernets:
eno1:
addresses: [192.168.1.3/24]
gateway4: 192.168.1.1
nameservers:
addresses: [1.1.1.1, 1.0.0.1]
optional: true
eno2: {}
vlans:
vlan1:
id: 1
link: eno1
addresses: [192.168.2.3/24]
- Try the change in debug mode first:
$ sudo netplan --debug try
DEBUG:eno1 not found in {}
DEBUG:eno2 not found in {'eno1': {'addresses': ['192.168.1.3/24'], 'gateway4': '192.168.1.1', 'nameservers': {'addresses': ['1.1.1.1', '1.0.0.1']}, 'optional': True}}
DEBUG:vlan1 not found in {}
DEBUG:Merged config:
network:
bonds: {}
bridges: {}
ethernets:
eno1:
addresses:
- 192.168.1.3/24
gateway4: 192.168.1.1
nameservers:
addresses:
- 1.1.1.1
- 1.0.0.1
optional: true
eno2: {}
vlans:
vlan1:
addresses:
- 192.168.2.3/24
id: 1
link: eno1
wifis: {}
DEBUG:New interfaces: set()
** (generate:11029): DEBUG: 08:52:30.927: Processing input file /etc/netplan/60-vlan-init.yaml..
** (generate:11029): DEBUG: 08:52:30.927: starting new processing pass
** (generate:11029): DEBUG: 08:52:30.927: vlan1: setting default backend to 1
** (generate:11029): DEBUG: 08:52:30.927: Configuration is valid
** (generate:11029): DEBUG: 08:52:30.927: eno1: setting default backend to 1
** (generate:11029): DEBUG: 08:52:30.927: Configuration is valid
** (generate:11029): DEBUG: 08:52:30.927: eno2: setting default backend to 1
** (generate:11029): DEBUG: 08:52:30.927: Configuration is valid
** (generate:11029): DEBUG: 08:52:30.928: Generating output files..
** (generate:11029): DEBUG: 08:52:30.928: NetworkManager: definition eno1 is not for us (backend 1)
** (generate:11029): DEBUG: 08:52:30.928: NetworkManager: definition eno2 is not for us (backend 1)
** (generate:11029): DEBUG: 08:52:30.928: NetworkManager: definition vlan1 is not for us (backend 1)
DEBUG:netplan generated networkd configuration changed, restarting networkd
DEBUG:no netplan generated NM configuration exists
DEBUG:eno1 not found in {}
DEBUG:eno2 not found in {'eno1': {'addresses': ['192.168.1.3/24'], 'gateway4': '192.168.1.1', 'nameservers': {'addresses': ['1.1.1.1', '1.0.0.1']}, 'optional': True}}
DEBUG:vlan1 not found in {}
DEBUG:Merged config:
network:
bonds: {}
bridges: {}
ethernets:
eno1:
addresses:
- 192.168.1.3/24
gateway4: 192.168.1.1
nameservers:
addresses:
- 1.1.1.1
- 1.0.0.1
optional: true
eno2: {}
vlans:
vlan1:
addresses:
- 192.168.2.3/24
id: 1
link: eno1
wifis: {}
DEBUG:Skipping non-physical interface: lo
DEBUG:device eno1 operstate is up, not changing
DEBUG:Skipping non-physical interface: vlan1
DEBUG:Skipping non-physical interface: wlp58s0
DEBUG:Skipping non-physical interface: tun0
DEBUG:{}
DEBUG:netplan triggering .link rules for lo
DEBUG:netplan triggering .link rules for eno1
DEBUG:netplan triggering .link rules for vlan1
DEBUG:netplan triggering .link rules for wlp58s0
DEBUG:netplan triggering .link rules for tun0
Do you want to keep these settings?
Press ENTER before the timeout to accept the new configuration
Changes will revert in 118 seconds
Configuration accepted.
- If you have success, make the change permanent:
$ sudo netplan apply
- Test it with a ping:
# ping 192.168.2.3
PING 192.168.2.3 (192.168.2.3) 56(84) bytes of data.
64 bytes from 192.168.2.3: icmp_seq=1 ttl=64 time=0.088 ms
64 bytes from 192.168.2.3: icmp_seq=2 ttl=64 time=0.104 ms
^C
--- 192.168.2.3 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1011ms
rtt min/avg/max/mdev = 0.088/0.096/0.104/0.008 ms
- Check the routes. One for physical interface eno1, another for virtual interface vlan1.
# route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
default _gateway 0.0.0.0 UG 0 0 0 eno1
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eno1
192.168.2.0 0.0.0.0 255.255.255.0 U 0 0 0 vlan1
- Another way to check routes:
# ip r
default via 192.168.1.1 dev eno1 proto static
192.168.1.0/24 dev eno1 proto kernel scope link src 192.168.1.3
192.168.2.0/24 dev vlan1 proto kernel scope link src 192.168.2.3
- Also you can check the ip addresses:
Notice the virtual interface is called
vlan1@eno1because it is stacked on top of physical interface eno1.
# ip a
~
2: eno1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether 1c:69:7a:09:e7:61 brd ff:ff:ff:ff:ff:ff
altname enp0s31f6
inet 192.168.1.3/24 brd 192.168.1.255 scope global eno1
valid_lft forever preferred_lft forever
inet6 fe80::1e69:7aff:fe09:e761/64 scope link
valid_lft forever preferred_lft forever
~
4: vlan1@eno1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether 1c:69:7a:09:e7:61 brd ff:ff:ff:ff:ff:ff
inet 192.168.2.3/24 brd 192.168.2.255 scope global vlan1
valid_lft forever preferred_lft forever
inet6 fe80::1e69:7aff:fe09:e761/64 scope link
valid_lft forever preferred_lft forever
~
Reference: https://netplan.io/examples
Create vlan from command line
Create a vlan called vlan9 on physical device eth0, with vlan id of 9.
$ sudo ip link add link eth0 name vlan9 type vlan id 9
Display interface
$ sudo ip -d link show vlan9
4: vlan9@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP mode DEFAULT group default qlen 1000
link/ether 1c:69:7a:09:e7:61 brd ff:ff:ff:ff:ff:ff promiscuity 0 minmtu 0 maxmtu 65535
vlan protocol 802.1Q id 9 <REORDER_HDR> addrgenmode eui64 numtxqueues 1 numrxqueues 1 gso_max_size 65536 gso_max_segs 65535
Of course this interface will go away after a reboot, unless you run this command again.
The -d flag shows full details of an interface. Notice the vlan protocol 802.1Q id is 9.
$ sudo ip -d addr show
4: vlan9@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
link/ether 96:4a:9c:84:36:51 brd ff:ff:ff:ff:ff:ff promiscuity 0
vlan protocol 802.1Q id 9 <REORDER_HDR>
inet6 fe80::944a:9cff:fe84:3651/64 scope link
valid_lft forever preferred_lft forever
Add an IPv4 address:
# IP Address Broadcast Device
$ sudo ip addr add 192.168.100.1/24 brd 192.168.100.255 dev vlan9
$ sudo ip link set dev vlan9 up
Shut down the link:
$ sudo ip link set dev vlan9 down
Remove VLAN interface:
# sudo ip link delete vlan9
Reference:
Redhat Version
Install nmstate package
$ sudo dnf install nmstate
Create config file
File: /etc/nmstate/60-create-vlan.yml
---
interfaces:
- name: vlan10
type: vlan
state: up
ipv4:
enabled: true
address:
- ip: 192.168.22.1
prefix-length: 24
dhcp: false
ipv6:
enabled: false
vlan:
base-iface: eno1
id: 10
- name: eno1
type: ethernet
state: up
Apply config file
$ sudo nmstatectl apply /etc/nmstate/60-create-vlan.yml
- Verification
Display the status of the devices and connections:
# nmcli device status
DEVICE TYPE STATE CONNECTION
vlan10 vlan connected vlan10
Display all settings of the connection profile:
# nmcli connection show vlan10
connection.id: vlan10
connection.uuid: 1722970f-788e-4f81-bd7d-a86bf21c9df5
connection.stable-id: --
connection.type: vlan
connection.interface-name: vlan10
...
Display the connection settings in YAML format:
# nmstatectl show vlan10
Permanent setup is performed by nmstate.service. It invokes nmstatectl service command which apply all network state files ending with .yml in /etc/nmstate folder. The applied network state file will be renamed with postfix .applied to prevent repeated applied on next service start. Rename the file to .yml and restart nmstate to make changes active.
$ sudo systemctl status nmstate.service
● nmstate.service - Apply nmstate on-disk state
Loaded: loaded (/usr/lib/systemd/system/nmstate.service; enabled; preset: disabled)
Active: active (exited) since Sat 2023-06-10 15:31:04 EDT; 50s ago
Docs: man:nmstate.service(8)
https://www.nmstate.io
Process: 77788 ExecStart=/usr/bin/nmstatectl service (code=exited, status=0/SUCCESS)
Main PID: 77788 (code=exited, status=0/SUCCESS)
CPU: 40ms
Jun 10 15:31:04 bob.example.com nmstatectl[77788]: [2022-06-10T19:31:04Z INFO nmstate::nm::query_apply::profile] Modifying connection UUID Some("050da471-2365-4e>
Jun 10 15:31:04 bob.example.com nmstatectl[77788]: [2022-06-10T19:31:04Z INFO nmstate::nm::query_apply::profile] Reapplying connection 1f39a84e-5d13-3ea0-8b34-fd>
Jun 10 15:31:04 bob.example.com nmstatectl[77788]: [2022-06-10T19:31:04Z INFO nmstate::nm::query_apply::profile] Reapplying connection 0a0d9431-27a5-4e7e-b370-47>
Jun 10 15:31:04 bob.example.com nmstatectl[77788]: [2022-06-10T19:31:04Z INFO nmstate::nispor::base_iface] Got unsupported interface type Tun: vnet5, ignoring
Jun 10 15:31:04 bob.example.com nmstatectl[77788]: [2022-06-10T19:31:04Z INFO nmstate::nispor::show] Got unsupported interface vnet5 type Tun
Jun 10 15:31:04 bob.example.com nmstatectl[77788]: [2022-06-10T19:31:04Z INFO nmstate::nm::show] Got unsupported interface type tun: vnet5, ignoring
Jun 10 15:31:04 bob.example.com nmstatectl[77788]: [2022-06-10T19:31:04Z INFO nmstate::query_apply::net_state] Destroyed checkpoint /org/freedesktop/NetworkManag>
Jun 10 15:31:04 bob.example.com nmstatectl[77788]: [2022-06-10T19:31:04Z INFO nmstatectl::service] Applied nmstate config: /etc/nmstate/60-create-vlan.yml
Jun 10 15:31:04 bob.example.com nmstatectl[77788]: [2022-06-10T19:31:04Z INFO nmstatectl::service] Renamed applied config /etc/nmstate/60-create-vlan.yml to /etc/nm>
Jun 10 15:31:04 bob.example.com systemd[1]: Finished Apply nmstate on-disk state.
Reference:
February - Virtual IP - Linux in the House - https://linux-in-the-house.org
