Creating and Managing VLANs on Linux: A Comprehensive Guide

Virtual Local Area Networks (VLANs) are a fundamental networking technology that enable logical segmentation of physical networks, improving security, reducing broadcast traffic, and simplifying network management. While VLANs are traditionally configured on dedicated network switches, Linux systems—whether acting as servers, routers, or virtualization hosts—can also create and manage VLANs directly. This capability makes Linux a powerful tool for building flexible, software-defined networks. In this blog, we’ll dive deep into VLAN concepts, tools, and best practices for Linux. By the end, you’ll be able to configure, manage, and troubleshoot VLANs on Linux systems with confidence.

Table of Contents

1. Understanding VLANs: Fundamentals
   • What is a VLAN?
   • 802.1Q VLAN Tagging
   • Access vs. Trunk Ports
   • Native VLAN
2. Prerequisites
3. Tools for VLAN Management on Linux
   • iproute2 (Recommended)
   • vconfig (Deprecated)
   • Netplan
   • NetworkManager
4. Creating and Configuring VLANs
   • Temporary VLAN Configuration (iproute2)
   • Persistent VLAN Configuration
     • Using /etc/network/interfaces (Debian/Ubuntu)
     • Using systemd-networkd
     • Using Netplan (Modern Ubuntu)
5. Managing VLAN Interfaces
   • Bringing Up/Down VLAN Interfaces
   • Deleting VLAN Interfaces
   • Verifying VLAN Configuration
6. Common Use Cases and Practices
   • Inter-VLAN Routing with Linux
   • Trunking VLANs on a Linux Interface
   • VLAN-Aware Bridges for Virtualization
7. Best Practices for VLAN Management on Linux
   • Consistent Naming Conventions
   • Security Hardening
   • Monitoring and Troubleshooting
   • MTU Considerations
8. Conclusion
9. References

Understanding VLANs: Fundamentals

What is a VLAN?

A VLAN is a logical subgroup of devices on a physical network that communicate as if they were on the same physical segment, even if they are geographically dispersed. VLANs improve network efficiency by limiting broadcast domains, enhance security by isolating traffic, and simplify management by grouping devices by function (e.g., “Finance” or “IoT”).

802.1Q VLAN Tagging

VLANs rely on the IEEE 802.1Q standard, which defines how Ethernet frames are tagged to identify their VLAN membership. A VLAN tag is inserted into the Ethernet frame header, adding 4 bytes of metadata:

• TPID (Tag Protocol Identifier): A 2-byte field set to 0x8100 to indicate an 802.1Q tag.
• TCI (Tag Control Information): A 2-byte field containing:
  • Priority Code Point (PCP): 3 bits for Quality of Service (QoS).
  • Drop Eligible Indicator (DEI): 1 bit for congestion control.
  • VLAN ID (VID): 12 bits for the VLAN identifier (range: 0–4095).

Note: VID 0 (reserved) and 4095 (broadcast) are not usable for standard VLANs.

Access vs. Trunk Ports

• Access Port: A port assigned to a single VLAN. It sends and receives untagged frames, which the switch tags internally. Devices connected to access ports (e.g., desktops, printers) are unaware of VLANs.
• Trunk Port: A port that carries traffic for multiple VLANs. It sends and receives tagged frames (except for the “native VLAN,” see below) and is typically used between switches or between a switch and a Linux router/server.

Native VLAN

A trunk port may have a native VLAN (default: VLAN 1), which carries untagged frames. If a frame arrives untagged on a trunk port, it is assigned to the native VLAN. Conversely, frames from the native VLAN are sent untagged. Best practice: Avoid using VLAN 1 as the native VLAN for security.

Prerequisites

Before configuring VLANs on Linux, ensure:

• A Linux system (tested on Ubuntu 22.04, Debian 12, and RHEL 9).
• Root or sudo access.
• Kernel support for 802.1Q: Verify with lsmod | grep 8021q. If missing, load the module with sudo modprobe 8021q (persist across reboots with echo "8021q" | sudo tee -a /etc/modules).
• One or more physical network interfaces (e.g., eth0, enp0s3).

Tools for VLAN Management on Linux

iproute2 (Recommended)

The iproute2 suite (via the ip command) is the modern, recommended tool for network configuration in Linux. It replaces legacy tools like ifconfig and vconfig and natively supports VLANs.

vconfig (Deprecated)

vconfig was once the standard tool for VLAN management but is now deprecated. It is not recommended for new deployments, as iproute2 offers superior functionality.

Netplan

Netplan is a YAML-based network configuration tool used in modern Ubuntu (18.04+), Fedora, and RHEL systems. It abstracts low-level tools like iproute2 or NetworkManager and simplifies persistent VLAN setup.

NetworkManager

NetworkManager is a dynamic network management tool (common on desktops and some servers). It supports VLANs via GUI tools (e.g., nm-connection-editor) or CLI (nmcli).

Creating and Configuring VLANs

Temporary VLAN Configuration (iproute2)

Temporary configurations (lost after reboot) are useful for testing. Use ip link to create a VLAN interface:

Step 1: Create a VLAN interface

# Syntax: ip link add link <parent-interface> name <vlan-interface> type vlan id <vlan-id>
sudo ip link add link eth0 name eth0.10 type vlan id 10

• link eth0: The physical parent interface.
• name eth0.10: Name of the VLAN interface (convention: <parent>.<vlan-id>).
• id 10: VLAN ID (1–4094).

Step 2: Assign an IP address

sudo ip addr add 192.168.10.1/24 dev eth0.10

Step 3: Bring the interface up

sudo ip link set dev eth0.10 up

Persistent VLAN Configuration

To retain VLAN settings across reboots, use one of the methods below.

Using /etc/network/interfaces (Debian/Ubuntu)

Older Debian/Ubuntu systems use /etc/network/interfaces for network configuration:

sudo nano /etc/network/interfaces

Add the following stanza:

# VLAN 10 on eth0
auto eth0.10
iface eth0.10 inet static
  address 192.168.10.1
  netmask 255.255.255.0
  vlan-raw-device eth0  # Specify the parent interface

Apply changes:

sudo ifup eth0.10

Using systemd-networkd

systemd-networkd is a lightweight network manager for servers. Configure VLANs with .network files:

1. Configure the parent interface (e.g., /etc/systemd/network/eth0.network):

   [Match]
   Name=eth0  # Match the physical interface
   
   [Network]
   VLAN=eth0.10  # Enable VLAN interface eth0.10

2. Configure the VLAN interface (e.g., /etc/systemd/network/eth0.10.network):

   [Match]
   Name=eth0.10  # Match the VLAN interface
   
   [Network]
   Address=192.168.10.1/24  # Assign IP address

3. Apply changes:

   sudo systemctl restart systemd-networkd

Using Netplan (Modern Ubuntu)

Netplan uses YAML files in /etc/netplan/ (e.g., 01-netcfg.yaml).

1. Edit the Netplan config:

   sudo nano /etc/netplan/01-netcfg.yaml

2. Add a VLAN configuration:

   network:
     version: 2
     renderer: networkd  # Use systemd-networkd (or "NetworkManager" for desktops)
     ethernets:
       eth0:  # Parent interface
         dhcp4: no  # Disable DHCP
     vlans:
       eth0.10:  # VLAN interface name
         id: 10  # VLAN ID
         link: eth0  # Parent interface
         addresses: [192.168.10.1/24]  # Static IP

3. Apply changes:

   sudo netplan apply

Managing VLAN Interfaces

Bringing Up/Down VLAN Interfaces

# Bring up
sudo ip link set dev eth0.10 up

# Bring down
sudo ip link set dev eth0.10 down

Deleting VLAN Interfaces

sudo ip link delete eth0.10 type vlan

Verifying VLAN Configuration

• Check VLAN interface details:

  ip -d link show eth0.10  # "-d" shows detailed info (e.g., VLAN ID)

  Output example:

  3: eth0.10@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP mode DEFAULT group default qlen 1000
      link/ether aa:bb:cc:dd:ee:ff brd ff:ff:ff:ff:ff:ff promiscuity 0 minmtu 68 maxmtu 1500
      vlan protocol 802.1Q id 10 <REORDER_HDR>

• Check IP address:

  ip addr show eth0.10

• List all VLANs on a trunk port:

  bridge vlan show dev eth0  # Requires the bridge-utils package

Common Use Cases and Practices

Inter-VLAN Routing with Linux

Linux can act as a router between VLANs by enabling IP forwarding.

1. Enable IP forwarding (persistent):

   echo "net.ipv4.ip_forward=1" | sudo tee -a /etc/sysctl.conf
   sudo sysctl -p  # Apply immediately

2. Create VLANs for multiple subnets (e.g., eth0.10 for 192.168.10.0/24 and eth0.20 for 192.168.20.0/24).

3. Devices on VLAN 10 can now communicate with devices on VLAN 20 via the Linux router’s IP (e.g., 192.168.10.1 and 192.168.20.1).

Trunking VLANs on a Linux Interface

To carry multiple VLANs on a single interface (e.g., connecting Linux to a switch trunk port), create multiple VLAN interfaces on the same parent:

# VLAN 10
sudo ip link add link eth0 name eth0.10 type vlan id 10
sudo ip addr add 192.168.10.1/24 dev eth0.10
sudo ip link set dev eth0.10 up

# VLAN 20
sudo ip link add link eth0 name eth0.20 type vlan id 20
sudo ip addr add 192.168.20.1/24 dev eth0.20
sudo ip link set dev eth0.20 up

The parent interface (eth0) will now process tagged frames for VLAN 10 and 20.

VLAN-Aware Bridges for Virtualization

For virtualization (KVM/QEMU), a VLAN-aware bridge allows VMs to connect to specific VLANs without creating per-VLAN interfaces on the host.

1. Install bridge-utils:

   sudo apt install bridge-utils  # Debian/Ubuntu
   sudo dnf install bridge-utils  # RHEL/Fedora

2. Create a VLAN-aware bridge:

   sudo ip link add name br0 type bridge vlan_filtering 1  # Enable VLAN filtering
   sudo ip link set dev br0 up

3. Add the parent interface to the bridge:

   sudo ip link set dev eth0 master br0
   sudo ip link set dev eth0 up

4. Allow VLANs 10 and 20 on the bridge port (eth0):

   sudo bridge vlan add dev eth0 vid 10,20  # Allow VLANs 10 and 20

5. VMs connect to br0 and tag their traffic with the desired VLAN ID (e.g., via libvirt XML configuration).

Best Practices for VLAN Management on Linux

Consistent Naming Conventions

Use a clear naming scheme for VLAN interfaces (e.g., <parent-interface>.<vlan-id> like eth0.10). This simplifies troubleshooting and documentation.

Security Hardening

• Avoid VLAN 1: Disable VLAN 1 (default native VLAN) and use a non-default native VLAN (e.g., VLAN 999) on trunks.
• Limit VLAN IDs: Only enable necessary VLANs on trunk ports (use bridge vlan to prune unused VLANs).
• Isolate Sensitive VLANs: Restrict inter-VLAN routing with iptables:

  # Block traffic from VLAN 10 to VLAN 20
  sudo iptables -A FORWARD -i eth0.10 -o eth0.20 -j DROP

Monitoring and Troubleshooting

• Tcpdump: Capture VLAN-tagged traffic:

  sudo tcpdump -i eth0 vlan 10  # Capture VLAN 10 traffic on eth0

• Check VLAN filtering: Verify vlan_filtering is enabled on bridges:

  sudo bridge link show dev eth0  # Look for "vlan_filtering 1"

• Logs: Check system logs for network issues:

  journalctl -u systemd-networkd  # For systemd-networkd

MTU Considerations

VLAN tags add 4 bytes to Ethernet frames. If the parent interface uses MTU 1500, VLAN interfaces will effectively have MTU 1496 (since 1500 - 4 = 1496). To avoid fragmentation:

• Set the parent interface MTU to 1504 (1500 + 4) to allow VLAN interfaces to use MTU 1500:

  sudo ip link set dev eth0 mtu 1504

Conclusion

Linux provides robust tools for creating and managing VLANs, making it a versatile platform for network segmentation. By leveraging iproute2, Netplan, or systemd-networkd, you can configure VLANs for temporary testing or persistent production environments. Whether you’re building a home lab, a small business network, or an enterprise-grade setup, following best practices like consistent naming, security hardening, and monitoring will ensure a reliable and secure VLAN implementation.

References

• Linux ip Command Man Page
• [IEEE 802.1Q Standard](