VLAN Basics
VLANs (802.1Q) allow network segmentation on a single physical interface.
Simple VLAN Configuration
# /etc/rc.conf
# Create VLANs on em0
vlans_em0="10 20 30"
# Configure VLAN interfaces
ifconfig_em0_10="inet 192.168.10.1 netmask 255.255.255.0"
ifconfig_em0_20="inet 192.168.20.1 netmask 255.255.255.0"
ifconfig_em0_30="inet 192.168.30.1 netmask 255.255.255.0"
# Ensure parent interface is up
ifconfig_em0="up"Apply Configuration
# Restart networking
service netif restart
# Verify VLANs
ifconfig em0.10
ifconfig em0.20
ifconfig em0.30Manual VLAN Creation
# Create VLAN interface
ifconfig em0.10 create
ifconfig em0.10 vlan 10 vlandev em0
ifconfig em0.10 inet 192.168.10.1 netmask 255.255.255.0
# Remove VLAN
ifconfig em0.10 destroyInter-VLAN Routing
# Enable IP forwarding
sysrc gateway_enable="YES"
sysctl net.inet.ip.forwarding=1
# VLANs can now route through this systemVLAN with DHCP
# /etc/rc.conf
vlans_em0="100"
ifconfig_em0_100="DHCP"VLAN Trunking
# Multiple VLANs on trunk port
vlans_em0="10 20 30 40 50"
# All VLANs share same physical interface
# Ensure switch port is configured as trunkSecurity Considerations
# Filter between VLANs with PF
# /etc/pf.conf
vlan10 = "em0.10"
vlan20 = "em0.20"
# Block VLAN 10 from accessing VLAN 20
block in on $vlan10 from ($vlan10:network) to ($vlan20:network) - freebsd
- vlan
- networking
- 802.1q
- tagging