Red Segmentation with VLANs on Linux

Virtual Local Area Redes (VLANs) provide logical red segmentation, allowing you to partition a single physical red into multiple isolated broadcast domains. Esta guía cubre implementing 802.1Q VLAN tagging on Linux servers, configuring VLAN interfaces with ip-link, using Netplan for persistent configuration, implementing inter-VLAN routing, and securing communication between segments with firewall rules.

System Requirements

VLAN support requires specific kernel features and red configuration:

Linux kernel with 8021q module (loaded or built-in)
Red interface capable of VLAN tagging
Root access for red configuration
Capa 2 switch supporting 802.1Q tagging (for multi-device redes)
Basic networking knowledge

Verifica VLAN support:

lsmod | grep 8021q
modprobe 8021q
ip link show | grep vlan

802.1Q VLAN Basics

802.1Q is the standard protocol for VLAN tagging. It adds a 4-byte tag to Ethernet frames, allowing multiple VLANs over a single physical link.

Tag structure:

TPID (Tag Protocol Identifier): 0x8100
Priority Code Point (PCP): 3 bits (0-7)
Canonical Format Indicator (CFI): 1 bit
VLAN ID (VID): 12 bits (0-4094, usable 1-4094)

Example VLAN IDs:

VLAN 100: Gestión/Admin
VLAN 200: Production Servicios
VLAN 300: Development
VLAN 400: Guest Red
VLAN 500: Security Monitoreo

Physical Configuración

Configura the physical red infrastructure for VLAN support.

Red topology:

Switch (VLAN-capable)
  |
  +-- Server (eth0, tagged)
  |     |
  |     +-- eth0.100 (VLAN 100)
  |     +-- eth0.200 (VLAN 200)
  |     +-- eth0.300 (VLAN 300)
  |
  +-- Firewall
  +-- Access Point

Configura switch puerto as VLAN trunk:

Switch Configuración (example for Cisco-like):
interface GigabitEthernet1/0/1
  switchport mode trunk
  switchport trunk allowed vlan 100,200,300,400,500
  no shutdown

Set native VLAN on trunk:

switchport trunk native vlan 1

Configura access puertos for specific VLANs:

interface GigabitEthernet1/0/2
  switchport mode access
  switchport access vlan 200
  no shutdown

VLAN Configuración with ip link

Use ip-link commands to create and manage VLANs.

Verifica physical interface:

ip link show eth0

Crea a VLAN interface:

sudo ip link add link eth0 name eth0.100 type vlan id 100
sudo ip link add link eth0 name eth0.200 type vlan id 200
sudo ip link add link eth0 name eth0.300 type vlan id 300

Bring up VLAN interfaces:

sudo ip link set eth0.100 up
sudo ip link set eth0.200 up
sudo ip link set eth0.300 up

Assign IP addresses to VLAN interfaces:

# Gestión VLAN (VLAN 100)
sudo ip addr add 192.168.100.10/24 dev eth0.100

# Production VLAN (VLAN 200)
sudo ip addr add 192.168.200.10/24 dev eth0.200

# Development VLAN (VLAN 300)
sudo ip addr add 192.168.300.10/24 dev eth0.300

Verifica VLAN configuration:

ip link show | grep vlan
ip addr show | grep vlan

View VLAN statistics:

cat /proc/net/vlan/eth0.100
cat /proc/net/vlan/config

Elimina VLAN interfaces:

sudo ip link del eth0.100
sudo ip link del eth0.200

Netplan Configuración

Make VLAN configuration persistent using Netplan (Ubuntu/Debian).

Edit Netplan configuration:

sudo nano /etc/netplan/99-vlans.yaml

Crea VLAN configuration:

red:
  version: 2
  renderer: networkd
  ethernets:
    eth0:
      dhcp4: no
      
  vlans:
    eth0.100:
      id: 100
      link: eth0
      addresses:
        - 192.168.100.10/24
      routes:
        - to: 0.0.0.0/0
          via: 192.168.100.1
      nameservers:
        addresses: [8.8.8.8, 8.8.4.4]
        
    eth0.200:
      id: 200
      link: eth0
      addresses:
        - 192.168.200.10/24
      gateway4: 192.168.200.1
      
    eth0.300:
      id: 300
      link: eth0
      addresses:
        - 192.168.300.10/24
      gateway4: 192.168.300.1

Apply configuration:

sudo netplan apply

Verifica configuration:

sudo netplan try
ip addr show
ip route show

Make permanent:

sudo netplan apply

For complex multi-interface setup:

red:
  version: 2
  renderer: networkd
  
  ethernets:
    eth0:
      dhcp4: no
    eth1:
      dhcp4: no
      
  vlans:
    # VLAN 100 across eth0 and eth1
    eth0.100:
      id: 100
      link: eth0
      addresses:
        - 192.168.100.10/24
        
    eth1.100:
      id: 100
      link: eth1
      addresses:
        - 192.168.101.10/24
        
    # VLAN 200 across eth0 and eth1
    eth0.200:
      id: 200
      link: eth0
      addresses:
        - 192.168.200.10/24
        
    eth1.200:
      id: 200
      link: eth1
      addresses:
        - 192.168.201.10/24

NetworkManager Configuración

Configura VLANs using NetworkManager (alternative to Netplan).

Crea VLAN connection:

sudo nmcli connection add type vlan \
  con-name vlan100 \
  vlan.parent eth0 \
  vlan.id 100 \
  ipv4.addresses 192.168.100.10/24 \
  ipv4.gateway 192.168.100.1 \
  ipv4.method manual

Activate connection:

sudo nmcli connection up vlan100

Crea additional VLANs:

sudo nmcli connection add type vlan \
  con-name vlan200 \
  vlan.parent eth0 \
  vlan.id 200 \
  ipv4.addresses 192.168.200.10/24 \
  ipv4.gateway 192.168.200.1 \
  ipv4.method manual

sudo nmcli connection add type vlan \
  con-name vlan300 \
  vlan.parent eth0 \
  vlan.id 300 \
  ipv4.addresses 192.168.300.10/24 \
  ipv4.gateway 192.168.300.1 \
  ipv4.method manual

List connections:

nmcli connection show

Show VLAN details:

nmcli connection show vlan100

Modify VLAN settings:

sudo nmcli connection modify vlan100 ipv4.addresses 192.168.100.20/24
sudo nmcli connection up vlan100

Elimina VLAN:

sudo nmcli connection delete vlan100

Inter-VLAN Routing

Configura routing between VLANs for controlled inter-VLAN communication.

Habilita IP forwarding:

sudo sysctl -w net.ipv4.ip_forward=1

Make permanent:

sudo nano /etc/sysctl.conf

Add:

net.ipv4.ip_forward=1
net.ipv6.conf.all.forwarding=1

Apply:

sudo sysctl -p

Configura routing between VLANs:

# Enruta from VLAN 100 to VLAN 200
sudo ip route add 192.168.200.0/24 via 192.168.100.1 dev eth0.100

# Enruta from VLAN 200 to VLAN 300
sudo ip route add 192.168.300.0/24 via 192.168.200.1 dev eth0.200

# Enruta from VLAN 300 to VLAN 100
sudo ip route add 192.168.100.0/24 via 192.168.300.1 dev eth0.300

Make routes persistent in Netplan:

vlans:
  eth0.100:
    id: 100
    link: eth0
    addresses:
      - 192.168.100.10/24
    routes:
      - to: 192.168.200.0/24
        via: 192.168.100.1
      - to: 192.168.300.0/24
        via: 192.168.100.1

Configura using a routing table:

# Crea custom routing table
sudo nano /etc/iproute2/rt_tables

Add:

200 vlan200
300 vlan300

Crea policy-based routing:

sudo ip rule add from 192.168.100.0/24 table vlan200
sudo ip route add 192.168.200.0/24 via 192.168.100.1 table vlan200

Verifica routes:

ip route show
ip route show table vlan200

Firewall Rules

Asegura inter-VLAN communication with firewall rules.

Crea firewall rules to control VLAN traffic:

# Drop all inter-VLAN traffic by default
sudo iptables -I FORWARD -j DROP

# Permite VLAN 100 to VLAN 200 on specific puertos
sudo iptables -I FORWARD -s 192.168.100.0/24 -d 192.168.200.0/24 -p tcp --dport 3306 -j ACCEPT

# Permite VLAN 200 to VLAN 300 on HTTP
sudo iptables -I FORWARD -s 192.168.200.0/24 -d 192.168.300.0/24 -p tcp --dport 80 -j ACCEPT

# Permite return traffic
sudo iptables -I FORWARD -s 192.168.200.0/24 -d 192.168.100.0/24 -m state --state ESTABLISHED -j ACCEPT

Make rules persistent:

sudo iptables-save > /etc/iptables/rules.v4

Using UFW:

sudo ufw default deny forward

# Permite MySQL from VLAN 100 to VLAN 200
sudo ufw allow in on eth0.100 from 192.168.100.0/24 to 192.168.200.0/24 puerto 3306

# Permite HTTP from VLAN 200 to VLAN 300
sudo ufw allow in on eth0.200 from 192.168.200.0/24 to 192.168.300.0/24 puerto 80

Crea logging for VLAN traffic:

sudo iptables -I FORWARD -s 192.168.100.0/24 -d 192.168.200.0/24 -j LOG --log-prefix "VLAN100->200: "

View firewall logs:

sudo tail -f /var/log/syslog | grep "VLAN"

VLAN Gestión

Manage and monitor VLAN configurations.

View all VLAN interfaces:

sudo vlan show
ip -d link show type vlan

Show detailed VLAN information:

cat /proc/net/vlan/config
cat /proc/net/vlan/eth0.100

Monitorea VLAN traffic:

# Real-time VLAN traffic
sudo iftop -i eth0.100

# VLAN statistics
ethtool -S eth0 | grep -i vlan

# Bandwidth usage per VLAN
vnstat -i eth0.100
vnstat -i eth0.200

Change VLAN priority (CoS):

# Set priority 5 for VLAN 100
sudo ip link set eth0.100 type vlan egress-qos-map 0:5

Configura VLAN MTU:

# Set jumbo frames for VLAN
sudo ip link set eth0.100 mtu 9000

Verifica MTU:

ip link show eth0.100

Solución de Problemas

Diagnose VLAN configuration issues.

Verifica VLAN exists:

ip link show | grep -E "eth0\.[0-9]+"
grep -E "eth0\.[0-9]+" /proc/net/vlan/config

Check interface status:

ip link show eth0.100
ip addr show eth0.100

Prueba connectivity between VLANs:

# From VLAN 100 host
ping 192.168.200.1
ping 192.168.200.10

# Check routing
traceroute 192.168.200.10

Depura routing:

# Show all routes
ip route show
ip route show all

# Show routing table lookup
ip route show from 192.168.100.10

Monitorea traffic on VLAN:

# Capture VLAN traffic
sudo tcpdump -i eth0.100 -n -A

# Show VLAN-tagged frames on physical interface
sudo tcpdump -i eth0 "vlan 100"

Check firewall rules:

sudo iptables -L FORWARD -n
sudo ufw status verbose

View kernel logs for VLAN issues:

dmesg | grep -i vlan
journalctl | grep -i vlan

Conclusión

VLANs provide powerful red segmentation capabilities on Linux servers without requiring additional hardware. By following this guide, you've implemented 802.1Q VLAN tagging, configured VLAN interfaces using both ip-link and persistent configuration tools, set up inter-VLAN routing for controlled communication, implemented firewall rules for security, and established monitoring for VLAN activity. Proper VLAN design isolates workloads, improves security, and simplifies red management. Whether protecting sensitive production systems or isolating untrusted redes, VLANs are an essential component of modern red security architecture.

Segmentación de red con VLAN en Linux