Linux VLAN Trunking and Subinterface Configuration

Linux VLAN Trunking and Subinterface Configuration

In today’s network architecture, VLAN (Virtual Local Area Network) is a core technology for isolating network traffic, enhancing security, and improving management efficiency. As a representative of open-source server platforms, Linux systems support flexible VLAN trunking and subinterface configuration. This not only helps administrators manage multiple VLANs over a single physical interface but also optimizes network performance and reduces hardware costs. According to Cisco’s 2023 Network Report, the usage rate of VLAN technology in enterprise environments exceeds 80%. Properly configuring VLAN trunking and subinterfaces can significantly enhance the network capabilities of Linux servers.

1. Basics of VLAN Trunking and Subinterfaces

1.1 What is VLAN?

VLAN is a network technology defined by the IEEE 802.1Q standard that logically divides a physical LAN into multiple broadcast domains. Each VLAN acts like an independent LAN, isolating traffic and enhancing security and performance.

Characteristics of VLAN:

  • Isolation: Traffic from different VLANs does not intercommunicate.
  • Flexibility: Dynamically assign ports to VLANs.
  • Efficiency: Reduces broadcast storms.
  • Tagging: Uses 802.1Q tags (VLAN ID 0-4095) to identify frames.

VLAN is the foundation of modern networks.

1.2 What is VLAN Trunking?

VLAN trunking is a mechanism that allows multiple VLAN traffic to pass through a single physical link. It is typically used for connections between switches or from switches to routers. Trunk ports carry VLAN-tagged frames, allowing the transmission of multi-VLAN data across devices.

Principle of Trunking:

  • 802.1Q Trunk: Frames have a 4-byte tag added (TPID, PRI, CFI, VID).
  • Native VLAN: Untagged VLAN, default is 1.
  • Allowed VLANs: Configured list of VLANs allowed on the trunk port.

In Linux, trunking is implemented through subinterfaces.

1.3 What is a Subinterface?

A subinterface is a virtual subinterface of a Linux network interface used to handle VLAN tags. A subinterface like eth0.10 represents VLAN 10 on the eth0 interface.

Characteristics of Subinterfaces:

  • Virtual: Based on a physical interface.
  • Tag Handling: Automatically adds/removes VLAN tags.
  • Independent Configuration: Each subinterface has its own IP and routing.
  • Module: Supported by the 8021q module.

Subinterfaces are central to Linux VLAN trunking.

1.4 Importance of VLAN Trunking and Subinterfaces

VLAN trunking and subinterfaces are powerful tools for network management:

  • Isolation: Logically segment networks, enhancing security.
  • Performance: Reduces physical link usage, improving bandwidth utilization.
  • Flexibility: Dynamically configure VLANs.
  • Cost: A single interface supports multiple networks.
  • Scalability: Supports SDN and virtualization.

For example, in data centers, trunking reduces cabling costs.

1.5 Typical Scenarios for Configuration

  • Router: Linux routes multiple VLANs.
  • Virtualization: KVM host trunking to VMs.
  • Testing Environment: Simulating multiple networks.
  • Enterprise Network: Department VLAN separation.
  • Cloud Server: EC2 VLAN configuration.

1.6 Challenges in Configuration

  • Compatibility: Network cards must support VLAN.
  • Performance Overhead: Tag handling increases CPU load.
  • Security: Risk of VLAN hopping attacks.
  • Management: Multiple subinterfaces can be complex.
  • Debugging: Tag errors can lead to isolation failures.

1.7 Goals of Configuration

  • Efficiency: Low-latency trunking.
  • Security: Prevent VLAN hopping.
  • Manageability: Automation scripts.
  • Compatibility: Support for multiple network cards.
  • Scalability: Dynamically add subinterfaces.

2. Principles of VLAN Trunking and Subinterfaces

2.1 VLAN Tagging Principles

802.1Q tags are 4 bytes inserted into Ethernet frames:

  • TPID: 0x8100 indicates VLAN.
  • PRI: Priority (0-7).
  • CFI: Canonical Format Indicator.
  • VID: VLAN ID (0-4095).

Principle: Switches forward frames based on VID, trunk ports retain tags.

2.2 Trunking Principles

Trunk ports are configured in trunk mode, allowing specific VLANs to pass through. Cisco uses switchport mode trunk.

Linux Trunking: Network cards receive tagged frames, the kernel’s 8021q module strips the tags and routes to subinterfaces.

2.3 Subinterface Principles

Subinterfaces are created using the VLAN interface type:

  • vlan_id: VLAN ID.
  • parent: Physical interface.

Kernel Module: 8021q.

sudo modprobe 8021q

Principle: When receiving frames, check the tag, match the subinterface VID, and forward to the subinterface.

Subinterface IP: Independently configured, e.g., eth0.10 IP 192.168.10.1.

2.4 Security Principles

  • VLAN Hopping: Double-tagging attack.
  • Prevention: Native VLAN not used for data, port security.

Linux: SELinux restricts interface access.

2.5 Performance Principles

  • Overhead: Tag handling adds 4 bytes and CPU load.
  • Optimization: Jumbo Frames reduce the number of packets.

2.6 Summary of Principles

VLAN trunking multiplexes links through tags, and Linux subinterfaces implement virtual interface handling.

3. Practical Configuration of Linux VLAN Trunking and Subinterfaces

3.1 Preparation

  1. Load the module:

    sudo modprobe 8021q

  2. Check the network card:

    sudo ip link show eth0

  3. Switch configuration for trunk (Cisco example):

    interface GigabitEthernet1/0/1
switchport mode trunk
switchport trunk allowed vlan 10,20,30

3.2 Creating Subinterfaces

  1. Create a subinterface:

    sudo ip link add link eth0 name eth0.10 type vlan id 10
sudo ip addr add 192.168.10.1/24 dev eth0.10
sudo ip link set eth0.10 up

  2. Permanent configuration (NetworkManager):

    sudo nmcli con add type vlan con-name vlan10 ifname eth0.10 dev eth0 id 10 ip4 192.168.10.1/24
sudo nmcli con up vlan10

  3. /etc/network/interfaces (Debian):

    auto eth0.10
iface eth0.10 inet static
address 192.168.10.1/24
vlan-raw-device eth0

    sudo ifup eth0.10

3.3 Trunking Configuration

  1. Allow all VLANs:

  • Linux acts as a trunk client, switch configured for trunk.

  • Test connectivity:

    ping 192.168.10.2

  • View interfaces:

    ip link show type vlan
vlan id 10 @eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP mode DEFAULT group default qlen 1000

    • 3.4 Advanced Configuration

    • Multiple subinterfaces:

      sudo ip link add link eth0 name eth0.20 type vlan id 20

    • VLAN tag stripping:

      • Handled automatically by the kernel.

    • Bridging VLAN:

      sudo brctl addbr br0
sudo brctl addif br0 eth0.10

    3.5 Monitoring Configuration

    • View traffic:

      sudo ip -s link show eth0.10

    • tcpdump:

      sudo tcpdump -i eth0.10 -e vlan

    4. Tools for VLAN Trunking and Subinterfaces

    4.1 vconfig (Deprecated)

    Usage:

    sudo vconfig add eth0 10
sudo ifconfig eth0.10 up

    Note: Use ip link instead.

    4.2 ip link

    Usage: As in 3.2.

    4.3 VLAN Module Parameters

    • View:

      modinfo 8021q

    4.4 NetworkManager

    Usage: Configure VLAN with nmcli.

    4.5 tcpdump

    Usage:

    sudo tcpdump -i eth0 vlan 10

    5. Case Studies

    5.1 Case 1: Routing Multiple VLANs

    Scenario: Linux router connecting multiple VLANs.

    Steps:

    1. Create eth0.10, eth0.20.
    2. Configure IP and routing.
    3. ip route add.

    Result: Multiple networks intercommunicate.

    5.2 Case 2: Virtualization Trunking

    Scenario: KVM host trunking to VMs.

    Steps:

    1. Host creates subinterfaces.
    2. virsh edits VM XML to add VLAN.

    Result: VMs support multiple VLANs.

    5.3 Case 3: Secure VLAN Configuration

    Scenario: Isolating departmental networks.

    Steps:

    1. Configure trunk port to allow VLANs.
    2. Subinterface firewall rules. Result: Traffic isolation.

    6. Best Practices

    6.1 Configuration Best Practices

    • Use ip link instead of vconfig.
    • Limit allowed VLANs on switch trunk.

    6.2 Security Best Practices

    • Do not use native VLAN for data.
    • Use ACLs to control inter-VLAN traffic.

    6.3 Performance Optimization

    • MTU 9000 Jumbo Frames.
    • Multi-queue network cards.

    6.4 Monitoring Best Practices

    • Use Prometheus to monitor subinterface traffic.

    6.5 Common Troubleshooting

    • Subinterface not up: ip link set up.
    • Tag loss: Check switch trunk.
    • Low performance: Optimize MTU.

    7. Conclusion

    Linux VLAN trunking and subinterface configuration are powerful tools for network management, enabling multi-VLAN support through the 8021q module.

    Related posts

    1. Modular Synthesis of C2-Substituted Bicyclo[1.1.1]pentanes via Photocatalysis
    2. RK3399 for 50 Yuan: 4G+32G, Can Be Used as a Light NAS
    3. Wi-Fi Signal Full, Security Cannot Drop: Essential Cybersecurity Knowledge
    4. Want to Escape Everything? These Travel Destinations Have No Wi-Fi
    5. All-in-One Linux Toolbox Script | A Tool for Enhancing Operational Efficiency!
    6. Which Data Occupies Linux Cache
    7. Scientific Image Processing on Linux
    8. Understanding Memory Allocation in Embedded Linux: Using malloc and Learning mmap
    9. One-Click Installation of Nginx on Linux
    10. In-Depth Analysis of Linux Command: uname — Your System ‘ID Card’ Viewer
    11. The Three Musketeers of File Extraction in Linux: Are You Familiar with Them?
    12. Post-Penetration on Linux: Various Methods for Credential Collection (Part 1)
    13. Why Programmers Must Use Linux

    Leave a Comment