Red Segmentation with VLANs on Linux
Virtual Local Area Redes (VLANs) provide logical red segmentation, allowing you to partition a single physical red into multiple isolated broadcast domains. Esta guía cubre implementing 802.1Q VLAN tagging on Linux servers, configuring VLAN interfaces with ip-link, using Netplan for persistent configuration, implementing inter-VLAN routing, and securing communication between segments with firewall rules.
Tabla de Contenidos
- System Requirements
- 802.1Q VLAN Basics
- Physical Configuración
- VLAN Configuración with ip link
- Netplan Configuración
- NetworkManager Configuración
- Inter-VLAN Routing
- Firewall Rules
- VLAN Gestión
- Solución de Problemas
- Conclusión
System Requirements
VLAN support requires specific kernel features and red configuration:
- Linux kernel with 8021q module (loaded or built-in)
- Red interface capable of VLAN tagging
- Root access for red configuration
- Capa 2 switch supporting 802.1Q tagging (for multi-device redes)
- Basic networking knowledge
Verifica VLAN support:
lsmod | grep 8021q
modprobe 8021q
ip link show | grep vlan
802.1Q VLAN Basics
802.1Q is the standard protocol for VLAN tagging. It adds a 4-byte tag to Ethernet frames, allowing multiple VLANs over a single physical link.
Tag structure:
- TPID (Tag Protocol Identifier): 0x8100
- Priority Code Point (PCP): 3 bits (0-7)
- Canonical Format Indicator (CFI): 1 bit
- VLAN ID (VID): 12 bits (0-4094, usable 1-4094)
Example VLAN IDs:
VLAN 100: Gestión/Admin
VLAN 200: Production Servicios
VLAN 300: Development
VLAN 400: Guest Red
VLAN 500: Security Monitoreo
Physical Configuración
Configura the physical red infrastructure for VLAN support.
Red topology:
Switch (VLAN-capable)
|
+-- Server (eth0, tagged)
| |
| +-- eth0.100 (VLAN 100)
| +-- eth0.200 (VLAN 200)
| +-- eth0.300 (VLAN 300)
|
+-- Firewall
+-- Access Point
Configura switch puerto as VLAN trunk:
Switch Configuración (example for Cisco-like):
interface GigabitEthernet1/0/1
switchport mode trunk
switchport trunk allowed vlan 100,200,300,400,500
no shutdown
Set native VLAN on trunk:
switchport trunk native vlan 1
Configura access puertos for specific VLANs:
interface GigabitEthernet1/0/2
switchport mode access
switchport access vlan 200
no shutdown
VLAN Configuración with ip link
Use ip-link commands to create and manage VLANs.
Verifica physical interface:
ip link show eth0
Crea a VLAN interface:
sudo ip link add link eth0 name eth0.100 type vlan id 100
sudo ip link add link eth0 name eth0.200 type vlan id 200
sudo ip link add link eth0 name eth0.300 type vlan id 300
Bring up VLAN interfaces:
sudo ip link set eth0.100 up
sudo ip link set eth0.200 up
sudo ip link set eth0.300 up
Assign IP addresses to VLAN interfaces:
# Gestión VLAN (VLAN 100)
sudo ip addr add 192.168.100.10/24 dev eth0.100
# Production VLAN (VLAN 200)
sudo ip addr add 192.168.200.10/24 dev eth0.200
# Development VLAN (VLAN 300)
sudo ip addr add 192.168.300.10/24 dev eth0.300
Verifica VLAN configuration:
ip link show | grep vlan
ip addr show | grep vlan
View VLAN statistics:
cat /proc/net/vlan/eth0.100
cat /proc/net/vlan/config
Elimina VLAN interfaces:
sudo ip link del eth0.100
sudo ip link del eth0.200
Netplan Configuración
Make VLAN configuration persistent using Netplan (Ubuntu/Debian).
Edit Netplan configuration:
sudo nano /etc/netplan/99-vlans.yaml
Crea VLAN configuration:
red:
version: 2
renderer: networkd
ethernets:
eth0:
dhcp4: no
vlans:
eth0.100:
id: 100
link: eth0
addresses:
- 192.168.100.10/24
routes:
- to: 0.0.0.0/0
via: 192.168.100.1
nameservers:
addresses: [8.8.8.8, 8.8.4.4]
eth0.200:
id: 200
link: eth0
addresses:
- 192.168.200.10/24
gateway4: 192.168.200.1
eth0.300:
id: 300
link: eth0
addresses:
- 192.168.300.10/24
gateway4: 192.168.300.1
Apply configuration:
sudo netplan apply
Verifica configuration:
sudo netplan try
ip addr show
ip route show
Make permanent:
sudo netplan apply
For complex multi-interface setup:
red:
version: 2
renderer: networkd
ethernets:
eth0:
dhcp4: no
eth1:
dhcp4: no
vlans:
# VLAN 100 across eth0 and eth1
eth0.100:
id: 100
link: eth0
addresses:
- 192.168.100.10/24
eth1.100:
id: 100
link: eth1
addresses:
- 192.168.101.10/24
# VLAN 200 across eth0 and eth1
eth0.200:
id: 200
link: eth0
addresses:
- 192.168.200.10/24
eth1.200:
id: 200
link: eth1
addresses:
- 192.168.201.10/24
NetworkManager Configuración
Configura VLANs using NetworkManager (alternative to Netplan).
Crea VLAN connection:
sudo nmcli connection add type vlan \
con-name vlan100 \
vlan.parent eth0 \
vlan.id 100 \
ipv4.addresses 192.168.100.10/24 \
ipv4.gateway 192.168.100.1 \
ipv4.method manual
Activate connection:
sudo nmcli connection up vlan100
Crea additional VLANs:
sudo nmcli connection add type vlan \
con-name vlan200 \
vlan.parent eth0 \
vlan.id 200 \
ipv4.addresses 192.168.200.10/24 \
ipv4.gateway 192.168.200.1 \
ipv4.method manual
sudo nmcli connection add type vlan \
con-name vlan300 \
vlan.parent eth0 \
vlan.id 300 \
ipv4.addresses 192.168.300.10/24 \
ipv4.gateway 192.168.300.1 \
ipv4.method manual
List connections:
nmcli connection show
Show VLAN details:
nmcli connection show vlan100
Modify VLAN settings:
sudo nmcli connection modify vlan100 ipv4.addresses 192.168.100.20/24
sudo nmcli connection up vlan100
Elimina VLAN:
sudo nmcli connection delete vlan100
Inter-VLAN Routing
Configura routing between VLANs for controlled inter-VLAN communication.
Habilita IP forwarding:
sudo sysctl -w net.ipv4.ip_forward=1
Make permanent:
sudo nano /etc/sysctl.conf
Add:
net.ipv4.ip_forward=1
net.ipv6.conf.all.forwarding=1
Apply:
sudo sysctl -p
Configura routing between VLANs:
# Enruta from VLAN 100 to VLAN 200
sudo ip route add 192.168.200.0/24 via 192.168.100.1 dev eth0.100
# Enruta from VLAN 200 to VLAN 300
sudo ip route add 192.168.300.0/24 via 192.168.200.1 dev eth0.200
# Enruta from VLAN 300 to VLAN 100
sudo ip route add 192.168.100.0/24 via 192.168.300.1 dev eth0.300
Make routes persistent in Netplan:
vlans:
eth0.100:
id: 100
link: eth0
addresses:
- 192.168.100.10/24
routes:
- to: 192.168.200.0/24
via: 192.168.100.1
- to: 192.168.300.0/24
via: 192.168.100.1
Configura using a routing table:
# Crea custom routing table
sudo nano /etc/iproute2/rt_tables
Add:
200 vlan200
300 vlan300
Crea policy-based routing:
sudo ip rule add from 192.168.100.0/24 table vlan200
sudo ip route add 192.168.200.0/24 via 192.168.100.1 table vlan200
Verifica routes:
ip route show
ip route show table vlan200
Firewall Rules
Asegura inter-VLAN communication with firewall rules.
Crea firewall rules to control VLAN traffic:
# Drop all inter-VLAN traffic by default
sudo iptables -I FORWARD -j DROP
# Permite VLAN 100 to VLAN 200 on specific puertos
sudo iptables -I FORWARD -s 192.168.100.0/24 -d 192.168.200.0/24 -p tcp --dport 3306 -j ACCEPT
# Permite VLAN 200 to VLAN 300 on HTTP
sudo iptables -I FORWARD -s 192.168.200.0/24 -d 192.168.300.0/24 -p tcp --dport 80 -j ACCEPT
# Permite return traffic
sudo iptables -I FORWARD -s 192.168.200.0/24 -d 192.168.100.0/24 -m state --state ESTABLISHED -j ACCEPT
Make rules persistent:
sudo iptables-save > /etc/iptables/rules.v4
Using UFW:
sudo ufw default deny forward
# Permite MySQL from VLAN 100 to VLAN 200
sudo ufw allow in on eth0.100 from 192.168.100.0/24 to 192.168.200.0/24 puerto 3306
# Permite HTTP from VLAN 200 to VLAN 300
sudo ufw allow in on eth0.200 from 192.168.200.0/24 to 192.168.300.0/24 puerto 80
Crea logging for VLAN traffic:
sudo iptables -I FORWARD -s 192.168.100.0/24 -d 192.168.200.0/24 -j LOG --log-prefix "VLAN100->200: "
View firewall logs:
sudo tail -f /var/log/syslog | grep "VLAN"
VLAN Gestión
Manage and monitor VLAN configurations.
View all VLAN interfaces:
sudo vlan show
ip -d link show type vlan
Show detailed VLAN information:
cat /proc/net/vlan/config
cat /proc/net/vlan/eth0.100
Monitorea VLAN traffic:
# Real-time VLAN traffic
sudo iftop -i eth0.100
# VLAN statistics
ethtool -S eth0 | grep -i vlan
# Bandwidth usage per VLAN
vnstat -i eth0.100
vnstat -i eth0.200
Change VLAN priority (CoS):
# Set priority 5 for VLAN 100
sudo ip link set eth0.100 type vlan egress-qos-map 0:5
Configura VLAN MTU:
# Set jumbo frames for VLAN
sudo ip link set eth0.100 mtu 9000
Verifica MTU:
ip link show eth0.100
Solución de Problemas
Diagnose VLAN configuration issues.
Verifica VLAN exists:
ip link show | grep -E "eth0\.[0-9]+"
grep -E "eth0\.[0-9]+" /proc/net/vlan/config
Check interface status:
ip link show eth0.100
ip addr show eth0.100
Prueba connectivity between VLANs:
# From VLAN 100 host
ping 192.168.200.1
ping 192.168.200.10
# Check routing
traceroute 192.168.200.10
Depura routing:
# Show all routes
ip route show
ip route show all
# Show routing table lookup
ip route show from 192.168.100.10
Monitorea traffic on VLAN:
# Capture VLAN traffic
sudo tcpdump -i eth0.100 -n -A
# Show VLAN-tagged frames on physical interface
sudo tcpdump -i eth0 "vlan 100"
Check firewall rules:
sudo iptables -L FORWARD -n
sudo ufw status verbose
View kernel logs for VLAN issues:
dmesg | grep -i vlan
journalctl | grep -i vlan
Conclusión
VLANs provide powerful red segmentation capabilities on Linux servers without requiring additional hardware. By following this guide, you've implemented 802.1Q VLAN tagging, configured VLAN interfaces using both ip-link and persistent configuration tools, set up inter-VLAN routing for controlled communication, implemented firewall rules for security, and established monitoring for VLAN activity. Proper VLAN design isolates workloads, improves security, and simplifies red management. Whether protecting sensitive production systems or isolating untrusted redes, VLANs are an essential component of modern red security architecture.