Virtual Local Area Networks
A Virtual Local Area Network (VLAN) is a networking technology that
- creates distinct, logically separated networks within a physical network infrastructure
- allows network administrators to segment a single physical network into multiple broadcast domains, and
- improves network performance, security, and manageability.
Each VLAN functions as an independent network, enabling devices within the same VLAN to communicate regardless of their actual physical locations. This segmentation is achieved through tagging data packets with a VLAN ID, ensuring they are routed to the correct virtual network.
SONiC supports creating VLANs and assigning interfaces to the VLAN.
Add or Remove VLANs
To add a VLAN in SONiC:
admin@sonic:~$ sudo config vlan add -h
Usage: config vlan add [OPTIONS] <vid>
Add VLAN
Options:
-m, --multiple Add Multiple Vlan(s) in Range or in Comma separated list
-h, -?, --help Show this message and exit.
For example, to add VLAN 10:
admin@sonic:~$ sudo config vlan add 10
Verify that the VLAN was added successfully:
admin@sonic:~$ show vlan brief
+-----------+--------------+---------+----------------+-------------+-----------------------+
| VLAN ID | IP Address | Ports | Port Tagging | Proxy ARP | DHCP Helper Address |
+===========+==============+=========+================+=============+=======================+
| 10 | | | | disabled | |
+-----------+--------------+---------+----------------+-------------+-----------------------+
To add VLAN 20, 30:
admin@sonic:~$ sudo config vlan add -m 20,30
Verify that the VLANs were added successfully:
admin@sonic:~$ show vlan brief
+-----------+--------------+---------+----------------+-------------+-----------------------+
| VLAN ID | IP Address | Ports | Port Tagging | Proxy ARP | DHCP Helper Address |
+===========+==============+=========+================+=============+=======================+
| 10 | | | | disabled | |
+-----------+--------------+---------+----------------+-------------+-----------------------+
| 20 | | | | disabled | |
+-----------+--------------+---------+----------------+-------------+-----------------------+
| 30 | | | | disabled | |
+-----------+--------------+---------+----------------+-------------+-----------------------+
To add VLANs 50-60:
admin@sonic:~$ sudo config vlan add -m 50-60
Verify that the VLANs were added succesfully:
admin@sonic:~$ show vlan brief
+-----------+--------------+---------+----------------+-------------+-----------------------+
| VLAN ID | IP Address | Ports | Port Tagging | Proxy ARP | DHCP Helper Address |
+===========+==============+=========+================+=============+=======================+
| 10 | | | | disabled | |
+-----------+--------------+---------+----------------+-------------+-----------------------+
| 20 | | | | disabled | |
+-----------+--------------+---------+----------------+-------------+-----------------------+
| 30 | | | | disabled | |
+-----------+--------------+---------+----------------+-------------+-----------------------+
| 50 | | | | disabled | |
+-----------+--------------+---------+----------------+-------------+-----------------------+
| 51 | | | | disabled | |
+-----------+--------------+---------+----------------+-------------+-----------------------+
| 52 | | | | disabled | |
+-----------+--------------+---------+----------------+-------------+-----------------------+
| 53 | | | | disabled | |
+-----------+--------------+---------+----------------+-------------+-----------------------+
| 54 | | | | disabled | |
+-----------+--------------+---------+----------------+-------------+-----------------------+
| 55 | | | | disabled | |
+-----------+--------------+---------+----------------+-------------+-----------------------+
| 56 | | | | disabled | |
+-----------+--------------+---------+----------------+-------------+-----------------------+
| 57 | | | | disabled | |
+-----------+--------------+---------+----------------+-------------+-----------------------+
| 58 | | | | disabled | |
+-----------+--------------+---------+----------------+-------------+-----------------------+
| 59 | | | | disabled | |
+-----------+--------------+---------+----------------+-------------+-----------------------+
| 60 | | | | disabled | |
+-----------+--------------+---------+----------------+-------------+-----------------------+
Similarly, VLANs can be removed using the sudo config vlan del command.
admin@sonic:~$ sudo config vlan del -h
Usage: config vlan del [OPTIONS] <vid>
Delete VLAN
Options:
-m, --multiple Add Multiple Vlan(s) in Range or in Comma separated
list
--no_restart_dhcp_relay If no_restart_dhcp_relay is True, do not restart
dhcp_relay while del vlan and
require dhcpv6 relay of this is empty
-?, -h, --help Show this message and exit.
Delete a single VLAN:
admin@sonic:~$ sudo config vlan del 10
Delete a comma-separated list of VLANs:
admin@sonic:~$ sudo config vlan del -m 20,30
Delete a range of VLANs:
admin@sonic:~$ sudo config vlan del -m 50-60
Add or remove interfaces to VLANs
We can add an interface to a VLAN using the sudo config vlan member add command. Ensure that the VLAN has already been created by using the sudo config vlan add command.
admin@sonic:~$ sudo config vlan member add -h
Usage: config vlan member add [OPTIONS] <vid> port
Add VLAN member
Options:
-u, --untagged Untagged status
-m, --multiple Add Multiple Vlan(s) in Range or in Comma separated list
-e, --except_flag Skips the given vlans and adds all other existing vlans
-h, -?, --help Show this message and exit.
For example, to add Ethernet0 to VLAN 10 in tagged mode:
admin@sonic:~$ sudo config vlan member add 10 Ethernet0
To verify:
admin@sonic:~$ show vlan brief
+-----------+--------------+-----------+----------------+-------------+-----------------------+
| VLAN ID | IP Address | Ports | Port Tagging | Proxy ARP | DHCP Helper Address |
+===========+==============+===========+================+=============+=======================+
| 10 | | Ethernet0 | tagged | disabled | |
+-----------+--------------+-----------+----------------+-------------+-----------------------+
For example, to add Ethernet0 to VLAN 10 in untagged mode:
admin@sonic:~$ sudo config vlan member add -u 10 Ethernet0
To verify:
admin@sonic:~$ show vlan brief
+-----------+--------------+-----------+----------------+-------------+-----------------------+
| VLAN ID | IP Address | Ports | Port Tagging | Proxy ARP | DHCP Helper Address |
+===========+==============+===========+================+=============+=======================+
| 10 | | Ethernet0 | untagged | disabled | |
+-----------+--------------+-----------+----------------+-------------+-----------------------+
We can add an interface to multiple VLANs as well. For example, add an interface to a range of VLANs (comma-separated or range):
admin@sonic:~$ sudo config vlan member add -m 20,30 Ethernet0
admin@sonic:~$ sudo config vlan member add -m 50-60 Ethernet0
To add an interface to all existing VLANs, we can use the all keyword. For example:
sudo config vlan member add -m all Ethernet0
The -e flag can be used to add an interface to all VLANs present on a system except a particular VLAN or set of VLANs.
Consider a device with the following VLANs:
admin@sonic:~$ show vlan brief
+-----------+--------------+---------+----------------+-------------+-----------------------+
| VLAN ID | IP Address | Ports | Port Tagging | Proxy ARP | DHCP Helper Address |
+===========+==============+=========+================+=============+=======================+
| 10 | | | | disabled | |
+-----------+--------------+---------+----------------+-------------+-----------------------+
| 50 | | | | disabled | |
+-----------+--------------+---------+----------------+-------------+-----------------------+
| 51 | | | | disabled | |
+-----------+--------------+---------+----------------+-------------+-----------------------+
| 52 | | | | disabled | |
+-----------+--------------+---------+----------------+-------------+-----------------------+
| 53 | | | | disabled | |
+-----------+--------------+---------+----------------+-------------+-----------------------+
| 54 | | | | disabled | |
+-----------+--------------+---------+----------------+-------------+-----------------------+
| 55 | | | | disabled | |
+-----------+--------------+---------+----------------+-------------+-----------------------+
| 56 | | | | disabled | |
+-----------+--------------+---------+----------------+-------------+-----------------------+
| 57 | | | | disabled | |
+-----------+--------------+---------+----------------+-------------+-----------------------+
| 58 | | | | disabled | |
+-----------+--------------+---------+----------------+-------------+-----------------------+
| 59 | | | | disabled | |
+-----------+--------------+---------+----------------+-------------+-----------------------+
| 60 | | | | disabled | |
+-----------+--------------+---------+----------------+-------------+-----------------------+
We can add interface Ethernet0 to all VLANs except VLAN 10 using the following command:
admin@sonic:~$ sudo config vlan member add -e 10 Ethernet0
admin@sonic:~$ show vlan brief
+-----------+--------------+-----------+----------------+-------------+-----------------------+
| VLAN ID | IP Address | Ports | Port Tagging | Proxy ARP | DHCP Helper Address |
+===========+==============+===========+================+=============+=======================+
| 10 | | | | disabled | |
+-----------+--------------+-----------+----------------+-------------+-----------------------+
| 50 | | Ethernet0 | tagged | disabled | |
+-----------+--------------+-----------+----------------+-------------+-----------------------+
| 51 | | Ethernet0 | tagged | disabled | |
+-----------+--------------+-----------+----------------+-------------+-----------------------+
| 52 | | Ethernet0 | tagged | disabled | |
+-----------+--------------+-----------+----------------+-------------+-----------------------+
| 53 | | Ethernet0 | tagged | disabled | |
+-----------+--------------+-----------+----------------+-------------+-----------------------+
| 54 | | Ethernet0 | tagged | disabled | |
+-----------+--------------+-----------+----------------+-------------+-----------------------+
| 55 | | Ethernet0 | tagged | disabled | |
+-----------+--------------+-----------+----------------+-------------+-----------------------+
| 56 | | Ethernet0 | tagged | disabled | |
+-----------+--------------+-----------+----------------+-------------+-----------------------+
| 57 | | Ethernet0 | tagged | disabled | |
+-----------+--------------+-----------+----------------+-------------+-----------------------+
| 58 | | Ethernet0 | tagged | disabled | |
+-----------+--------------+-----------+----------------+-------------+-----------------------+
| 59 | | Ethernet0 | tagged | disabled | |
+-----------+--------------+-----------+----------------+-------------+-----------------------+
| 60 | | Ethernet0 | tagged | disabled | |
+-----------+--------------+-----------+----------------+-------------+-----------------------+
Alternatively, we can add Ethernet0 to all VLANs except 55,56,57,68,59, and 60 using the following commamd:
admin@sonic:~$ sudo config vlan member add -e -m 55-60 Ethernet0
admin@sonic:~$ show vlan brief
+-----------+--------------+-----------+----------------+-------------+-----------------------+
| VLAN ID | IP Address | Ports | Port Tagging | Proxy ARP | DHCP Helper Address |
+===========+==============+===========+================+=============+=======================+
| 10 | | Ethernet0 | tagged | disabled | |
+-----------+--------------+-----------+----------------+-------------+-----------------------+
| 50 | | Ethernet0 | tagged | disabled | |
+-----------+--------------+-----------+----------------+-------------+-----------------------+
| 51 | | Ethernet0 | tagged | disabled | |
+-----------+--------------+-----------+----------------+-------------+-----------------------+
| 52 | | Ethernet0 | tagged | disabled | |
+-----------+--------------+-----------+----------------+-------------+-----------------------+
| 53 | | Ethernet0 | tagged | disabled | |
+-----------+--------------+-----------+----------------+-------------+-----------------------+
| 54 | | Ethernet0 | tagged | disabled | |
+-----------+--------------+-----------+----------------+-------------+-----------------------+
| 55 | | | | disabled | |
+-----------+--------------+-----------+----------------+-------------+-----------------------+
| 56 | | | | disabled | |
+-----------+--------------+-----------+----------------+-------------+-----------------------+
| 57 | | | | disabled | |
+-----------+--------------+-----------+----------------+-------------+-----------------------+
| 58 | | | | disabled | |
+-----------+--------------+-----------+----------------+-------------+-----------------------+
| 59 | | | | disabled | |
+-----------+--------------+-----------+----------------+-------------+-----------------------+
| 60 | | | | disabled | |
+-----------+--------------+-----------+----------------+-------------+-----------------------+
We can use the SONiC CLI to remove interfaces from VLANs
admin@sonic:~$ sudo config vlan member del -h
Usage: config vlan member del [OPTIONS] <vid> <port>
Delete VLAN member
Options:
-m, --multiple Add Multiple Vlan(s) in Range or in Comma separated list
-e, --except_flag Skips the given vlans and adds all other existing vlans
-h, -?, --help Show this message and exit.
For example, to remove a single VLAN from an interface:
admin@sonic:~$ sudo config vlan member del 10 Ethernet0
And an example of removing multiple VLANs from an interface:
admin@sonic:~$ sudo config vlan member del -m 51,52 Ethernet0
Alternatively, a user can specify a range of VLANs:
admin@sonic:~$ sudo config vlan member del -m 53-54 Ethernet0
To remove an interface from all existing VLANs, we can use the all keyword. For example:
sudo config vlan member del -m all Ethernet0
And as with adding VLANs the -e flag can be used to remove all VLANs from an interface except a particular VLAN or set of VLANs. Here are some examples:
Remove Ethernet0 from all VLANs except VLAN 10:
admin@sonic:~$ sudo config vlan member del -e 10 Ethernet0
Remove Ethernet0 from all VLANs except VLAN 51,52:
admin@sonic:~$ sudo config vlan member del -e -m 51,52 Ethernet0
Remove Ethernet0 from all VLANs except VLAN 55,56,57,58,59, and 60:
admin@sonic:~$ sudo config vlan member del -e -m 55-60 Ethernet0
Configure SVIs
A SVI or a Switched Virtual Interface can allow a user to assign a L3 address to a VLAN. The following commands can be used to configure it on SONIC:
Assinging IP addresses to VLANs
The sudo config interface ip add commands discussed earlier can be used to add IP addresses to VLANs
For example, To assign an IP address to Vlan10:
admin@sonic:~$ sudo config interface ip add Vlan10 192.10.1.2/24
Verifying using the show ip interfaces command:
admin@sonic:~$ show ip interfaces
Interface Master IPv4 address/mask Admin/Oper BGP Neighbor Neighbor IP
----------- -------- ------------------- ------------ -------------- -------------
Vlan10 192.10.1.2/24 up/down N/A N/A
docker0 240.127.1.1/24 up/down N/A N/A
eth0 192.168.1.2/16 up/up N/A N/A
lo 127.0.0.1/16 up/up N/A N/A
This can also be verified using the show vlan brief command:
admin@sonic:~$ show vlan brief
+-----------+---------------+---------+----------------+-------------+-----------------------+
| VLAN ID | IP Address | Ports | Port Tagging | Proxy ARP | DHCP Helper Address |
+===========+===============+=========+================+=============+=======================+
| 10 | 192.10.1.2/24 | | | disabled | |
+-----------+---------------+---------+----------------+-------------+-----------------------+
| 50 | | | | disabled | |
+-----------+---------------+---------+----------------+-------------+-----------------------+
| 51 | | | | disabled | |
+-----------+---------------+---------+----------------+-------------+-----------------------+
| 52 | | | | disabled | |
+-----------+---------------+---------+----------------+-------------+-----------------------+
| 53 | | | | disabled | |
+-----------+---------------+---------+----------------+-------------+-----------------------+
| 54 | | | | disabled | |
+-----------+---------------+---------+----------------+-------------+-----------------------+
| 55 | | | | disabled | |
+-----------+---------------+---------+----------------+-------------+-----------------------+
Similarly, we can assign a VLAN interface with an IPv6 address
admin@sonic:~$ sudo config interface ip add Vlan50 2001::8/64
To verify:
admin@sonic:~$ show vlan brief
+-----------+---------------+---------+----------------+-------------+-----------------------+
| VLAN ID | IP Address | Ports | Port Tagging | Proxy ARP | DHCP Helper Address |
+===========+===============+=========+================+=============+=======================+
| 10 | 192.10.1.2/24 | | | disabled | |
+-----------+---------------+---------+----------------+-------------+-----------------------+
| 50 | 2001::8/64 | | | disabled | |
+-----------+---------------+---------+----------------+-------------+-----------------------+
| 51 | | | | disabled | |
+-----------+---------------+---------+----------------+-------------+-----------------------+
| 52 | | | | disabled | |
+-----------+---------------+---------+----------------+-------------+-----------------------+
| 53 | | | | disabled | |
+-----------+---------------+---------+----------------+-------------+-----------------------+
| 54 | | | | disabled | |
+-----------+---------------+---------+----------------+-------------+-----------------------+
| 55 | | | | disabled | |
+-----------+---------------+---------+----------------+-------------+-----------------------+
The SVI interface can have other interface parameters changed like other interface. As seen in the previous section, the SVI name appears as VLAN<vlan-id> such as Vlan10 or Vlan50.
Configuring MTU on VLAN interface
The MTU of a VLAN interface can be changed using the ifconfig <vlan name> mtu <mtu-value> command
For example:
admin@sonic:~$ sudo ifconfig Vlan10
Vlan10: flags=4099<UP,BROADCAST,MULTICAST> mtu 9000
inet 192.10.1.2 netmask 255.255.255.0 broadcast 192.10.1.255
ether 48:1b:a4:e7:b4:00 txqueuelen 1000 (Ethernet)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
Configuring IPv6 Neighbor discovery
A user can configure IPv6 Neighbor discovery parameters using the FRR vtysh.
To go into the FRR vty shell:
admin@sonic:~$ vtysh
Hello, this is FRRouting (version 8.5.1).
Copyright 1996-2005 Kunihiro Ishiguro, et al.
sonic#
Enter the configuration mode and check the neighbour discovery options available:
sonic# configure
sonic(config)# interface Vlan10
sonic(config-if)# ipv6 nd
adv-interval-option Advertisement Interval Option
dnssl DNS search list information
home-agent-config-flag Home Agent configuration flag
home-agent-lifetime Home Agent lifetime
home-agent-preference Home Agent preference
managed-config-flag Managed address configuration flag
mtu Advertised MTU
other-config-flag Other statefull configuration flag
prefix Prefix information
ra-fast-retrans Fast retransmit of RA packets
ra-hop-limit Advertisement Hop Limit
ra-interval Router Advertisement interval
ra-lifetime Router lifetime
ra-retrans-interval Advertisement Retransmit Interval
rdnss Recursive DNS server information
reachable-time Reachable time
router-preference Default router preference
suppress-ra Suppress Router Advertisement
Some examples of neighbor discovery configuration:
Configure managed-config-flag
sonic# configure
sonic(config)# interface Vlan10
sonic(config-if)# ipv6 nd managed-config-flag
Configure other-config-flag
sonic# configure
sonic(config)# interface Vlan10
sonic(config-if)# ipv6 nd other-config-flag
Configure ipv6 nd prefix with no auto config
sonic# configure
sonic(config)# interface Vlan10
sonic(config-if)# ipv6 nd prefix 2001:0DB8:c18:1::3/64 no-autoconfig