VLAN Configuration¶

Create VLAN tagged sub-interfaces to communicate with hosts on a VLAN network using Linux (Kali).

Everything on this page is only relevant if connected to a trunk port.

VLAN 8021q kernel module¶

Enable VLAN 8021q kernel module

sudo modprobe 8021q
lsmod | grep 8021q

This should autoload anyway with ip link add

Unload VLAN 8021q kernel module

sudo modprobe -r 8021q

Will fail if any VLAN links exist; delete VLAN sub-interfaces first.

Network Interface Discovery¶

Show current vlan configurations

ip -d link show type vlan

VLAN tag traffic¶

Remove IP from parent interface.

sudo ip addr flush dev eth0

This avoids accidental traffic leakage on an untagged network since only the sub-interfaces will have an IP once VLANs are configured.

Add a VLAN-tagged sub-interface (e.g., VLAN 100 on eth0).

sudo ip link add link eth0 name eth0.100 type vlan id 100

Ensure the interface and sub-interface are up/live.

sudo ip link set eth0 up
sudo ip link set eth0.100 up

DHCP Configuration¶

Configure the VLAN sub-interface to obtain an IP using DHCP. If the VLAN network does not use DHCP then a static IP must be configured

Set DHCP on the sub-interface and obtain an IP via DHCP

sudo dhclient -1 -v eth0.100

Receive an IP from the DHCP server on the network which handles the specified VLAN.
The IP will be in the range associated by the DHCP with the VLAN tag #.

Release DHCP lease on eth0.100

sudo dhclient -r eth0.100

Use when disconnecting/tearing down or before renewing.
This only gives up the lease so other hosts can use the IP.

Static IP Configuration¶

Configure a static IP on the VLAN sub-interface.

Configure a static IP (192.168.100.10) on a VLAN interface (eth0.100)

sudo ip addr add 192.168.100.10/24 dev eth0.100

Replace an existing IP configured on a sub-interface instead of adding an additional one.

sudo ip addr replace 192.168.100.10/24 dev eth0.100

Verifying Configuration¶

View a VLAN interface and its IP

ip addr show dev eth0.100
ip -d link show dev eth0.100

Ping a known live host on the VLAN using the VLAN sub-interface

ping -I eth0.100 192.168.100.1

Target the gateway on the VLAN or some other known live host.

Verify that the VLAN sub-interface is being used to connect to a known host on the VLAN

ip route get <known_host_ip>

Target the gateway on the VLAN or some other known live host.

Removing VLAN Interfaces¶

Delete VLAN sub-interfaces when cleaning up.

sudo ip link delete dev eth0.100

Remove all VLAN-tagged interfaces in one line.

ip -o -d link show type vlan | awk -F': ' '{print $2}' | cut -d@ -f1 | xargs -r -n1 sudo ip link delete dev

Persistent Configuration¶

Persist VLAN configuration across reboots.

Create VLAN

sudo nmcli con add type vlan ifname eth0.100 dev eth0 id 100 ipv4.method manual ipv4.addresses 192.168.100.10/24 ipv4.gateway 192.168.100.1 autoconnect yes

Add a second IP

sudo nmcli con mod vlan-eth0.100 +ipv4.addresses 192.168.100.20/24

Enable the VLAN interface

sudo nmcli con up vlan-eth0.100