Network
VLAN
An HAProxy ALOHA network interface may be connected to a switch interface through a VLAN trunk link. You can then create a VLAN interface on the HAProxy ALOHA instance to route traffic over the relevant VLAN. For example, you might isolate your application’s traffic onto a VLAN for better security, or to reduce network traffic and improve performance.
This feature is based on the VLAN tagging capability.
Create a VLAN interface Jump to heading
To create a VLAN interface, you have to add a new service network
configuration section. You can do this either through the UI or through the Network Management CLI. The new VLAN interface will apply to an existing, physical network interface, such as eth1
.
A physical network interface can support both its own IP configuration (untagged network) and one or more VLAN (tagged) interfaces. Traffic with a VLAN tag matching a defined VLAN goes to that VLAN, and traffic without a VLAN tag goes to the untagged network.
The untagged network does not serve as a default destination for tagged traffic that does not match any of the defined VLANs. HAProxy ALOHA will drop tagged traffic that does not match a defined VLAN.
Use the UI Jump to heading
To add the VLAN interface via the HAProxy ALOHA UI:
-
In the Services tab, click network setup to display the current configuration of your network interfaces.
-
Add a directive to create a new VLAN interface.
The syntax is as follows:
service network eth<id>.<vlanid>
service network eth<id>.<vlanid>
You can use a portion of your address space for VLAN traffic. Below, we define two networks, one for untagged, non-VLAN traffic and one for traffic tagged for VLAN 100. Traffic having any other tag is dropped. This should match the settings on your network switch.
service network eth1 ip address 172.16.100.4/25 service network eth1.100 ip address 172.16.100.131/25
service network eth1 ip address 172.16.100.4/25 service network eth1.100 ip address 172.16.100.131/25
You can also use the entire address space for VLANs. In the example below, we create VLANs
100
,200
,300
, and400
on interfaceeth1
:service network eth1.100 ip address 172.16.100.4/26 service network eth1.200 ip address 172.16.100.67/26 service network eth1.300 ip address 172.16.100.131/26 service network eth1.400 ip address 172.16.100.195/26
service network eth1.100 ip address 172.16.100.4/26 service network eth1.200 ip address 172.16.100.67/26 service network eth1.300 ip address 172.16.100.131/26 service network eth1.400 ip address 172.16.100.195/26
-
Click OK and Close to return to the Services tab.
-
Apply the configuration:
- If you just created the VLAN interface, click Restart on the network line.
- If you just updated an existing VLAN interface, click Reload.
Version > 16.0
In versions greater than 16.0, click the Apply new configuration button on the network line to apply the changes and automatically restart the network interface service.
You can manage IP configuration and VRRP settings in the same way as for a physical interface.
-
To make your changes persistent after a reboot, click the Setup tab. Then click Save under Configuration.
Use the Network Management CLI Jump to heading
Available since
- HAProxy ALOHA 16.5
To add the VLAN interface via the Network Management CLI:
-
If you have not already done so, install the Network Management CLI.
-
Go to the Tools tab and click Launch terminal.
-
Use the
netctl connection show
command to show existing connection profiles. From the output, get theID
to use in subsequent commands.nixsudo netctl connection shownixsudo netctl connection showoutputtextID UUID TYPE DEVICEethernet-eth0 b6a82f6f-3fdd-467f-b2a1-9e343ba66288 ethernet eth0ethernet-eth1 8805fda9-b1a7-4d5c-bd83-615ceb9e9fdd ethernet eth1outputtextID UUID TYPE DEVICEethernet-eth0 b6a82f6f-3fdd-467f-b2a1-9e343ba66288 ethernet eth0ethernet-eth1 8805fda9-b1a7-4d5c-bd83-615ceb9e9fdd ethernet eth1 -
Using the connection profile’s
ID
, modify your existing network interface to use only a portion of the IP address space so that VLAN traffic can use another portion. Use thenetctl connection modify
andnetctl connection up
commands. The IP range should match the settings on your network switch.nixsudo netctl connection modify ethernet-eth1 \ipv4.method manual \ipv4.addresses 172.16.100.4/25sudo netctl connection up ethernet-eth1nixsudo netctl connection modify ethernet-eth1 \ipv4.method manual \ipv4.addresses 172.16.100.4/25sudo netctl connection up ethernet-eth1outputtext# Stopping network[eth1] ...==> stop network[eth1] : Done.# Starting network[eth1] ...==> start network[eth1] : Done.==> load ip config network[eth1] : Done.Connection successfully activatedoutputtext# Stopping network[eth1] ...==> stop network[eth1] : Done.# Starting network[eth1] ...==> start network[eth1] : Done.==> load ip config network[eth1] : Done.Connection successfully activated -
You can use a portion of your address space for VLAN traffic. Below, we use the
netctl connection add
andnetctl connection up
commands to define an interface for traffic tagged for VLAN 100. Traffic having any other tag is dropped.nixsudo netctl connection add connection.type vlan \connection.id vlan-100 \vlan.id 100 \vlan.parent eth1 \ipv4.addresses 172.16.100.131/25sudo netctl connection up vlan-100nixsudo netctl connection add connection.type vlan \connection.id vlan-100 \vlan.id 100 \vlan.parent eth1 \ipv4.addresses 172.16.100.131/25sudo netctl connection up vlan-100outputtextWarning: service/instance not found in /var/state/network.rc, using default values.# Stopping network[eth1.100] ...==> stop network[eth1.100] : Done.# Starting network[eth1.100] ...==> start network[eth1.100] : Done.==> load ip config network[eth1.100] : Done.Connection successfully activatedoutputtextWarning: service/instance not found in /var/state/network.rc, using default values.# Stopping network[eth1.100] ...==> stop network[eth1.100] : Done.# Starting network[eth1.100] ...==> start network[eth1.100] : Done.==> load ip config network[eth1.100] : Done.Connection successfully activated -
Save the configuration to make your changes persistent after a reboot:
nixsudo config savenixsudo config save
Verify the VLAN interface Jump to heading
The VLAN interface should have been assigned to the physical interface, for example VLAN 100 on physical interface eth1
. To check this, use the ip
command to verify that the MAC addresses (the link/ether
value) for the physical interface and its VLAN network are the same.
Below, we verify that the MAC addresses are the same on eth1
and eth1.100
. Both show matching link/ether
values of 08:00:27:8d:c0:4d
.
nix
sudo ip addr show
nix
sudo ip addr show
outputtext
...3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000link/ether 08:00:27:8d:c0:4d brd ff:ff:ff:ff:ff:ffaltname enp0s3inet 172.16.100.4/25 scope global eth1valid_lft forever preferred_lft foreverinet6 fe80::a00:27ff:fe8d:c04d/64 scope linkvalid_lft forever preferred_lft forever4: eth1.100@eth1: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000link/ether 08:00:27:8d:c0:4d brd ff:ff:ff:ff:ff:ffinet 172.16.100.131/25 scope global eth1.100valid_lft forever preferred_lft forever
outputtext
...3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000link/ether 08:00:27:8d:c0:4d brd ff:ff:ff:ff:ff:ffaltname enp0s3inet 172.16.100.4/25 scope global eth1valid_lft forever preferred_lft foreverinet6 fe80::a00:27ff:fe8d:c04d/64 scope linkvalid_lft forever preferred_lft forever4: eth1.100@eth1: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000link/ether 08:00:27:8d:c0:4d brd ff:ff:ff:ff:ff:ffinet 172.16.100.131/25 scope global eth1.100valid_lft forever preferred_lft forever
Do you have any suggestions on how we can improve the content of this page?