Set up Linux network bridges with VLAN tagging to create isolated network segments for virtual machines and containers. This enables advanced networking scenarios with traffic separation and trunk port functionality.
Prerequisites
- Root or sudo access
- Physical network interface
- Basic understanding of networking concepts
What this solves
Network bridges with VLAN support allow you to create multiple isolated network segments on a single physical interface. This is essential for virtualization environments where you need to separate traffic between different VMs, create trunk connections to virtual switches, or implement network segmentation for security and performance reasons.
Step-by-step configuration
Install bridge utilities and VLAN tools
First install the required packages for bridge management and VLAN configuration.
sudo apt update
sudo apt install -y bridge-utils vlan ifenslave net-toolsLoad the 8021q VLAN kernel module
Enable VLAN support in the kernel and make it persistent across reboots.
sudo modprobe 8021q
echo '8021q' | sudo tee -a /etc/modulesCreate the main network bridge
Set up a basic bridge interface that will serve as the foundation for VLAN-aware networking.
sudo ip link add name br0 type bridge
sudo ip link set dev br0 upConfigure bridge VLAN filtering
Enable VLAN filtering on the bridge to support VLAN-aware switching and tag processing.
sudo ip link set dev br0 type bridge vlan_filtering 1
sudo bridge vlan add dev br0 vid 1 pvid untagged selfAdd physical interface to bridge
Connect your physical network interface to the bridge. Replace eth0 with your actual interface name.
sudo ip link set dev eth0 master br0
sudo ip link set dev eth0 upConfigure trunk port for multiple VLANs
Set up the physical interface as a trunk port that can carry multiple VLAN tags.
sudo bridge vlan add dev eth0 vid 100
sudo bridge vlan add dev eth0 vid 200
sudo bridge vlan add dev eth0 vid 300
sudo bridge vlan showCreate VLAN-aware bridge interfaces
Create specific VLAN interfaces on the bridge for different network segments.
sudo ip link add link br0 name br0.100 type vlan id 100
sudo ip link add link br0 name br0.200 type vlan id 200
sudo ip link add link br0 name br0.300 type vlan id 300Assign IP addresses to VLAN interfaces
Configure IP addresses for each VLAN segment to enable routing between different networks.
sudo ip addr add 192.168.100.1/24 dev br0.100
sudo ip addr add 192.168.200.1/24 dev br0.200
sudo ip addr add 192.168.300.1/24 dev br0.300Bring up VLAN interfaces
Activate all the VLAN interfaces to make them available for virtual machine connections.
sudo ip link set dev br0.100 up
sudo ip link set dev br0.200 up
sudo ip link set dev br0.300 upMake configuration persistent with Netplan
Create a permanent network configuration that survives system reboots. This example works for Ubuntu and Debian systems using Netplan.
network:
version: 2
renderer: networkd
ethernets:
eth0:
dhcp4: false
dhcp6: false
bridges:
br0:
interfaces: [eth0]
parameters:
stp: true
forward-delay: 4
dhcp4: false
dhcp6: false
vlans:
br0.100:
id: 100
link: br0
addresses:
- 192.168.100.1/24
br0.200:
id: 200
link: br0
addresses:
- 192.168.200.1/24
br0.300:
id: 300
link: br0
addresses:
- 192.168.300.1/24Alternative configuration for RHEL-based systems
For AlmaLinux and Rocky Linux, create network scripts in the traditional format.
DEVICE=br0
TYPE=Bridge
ONBOOT=yes
BOOTPROTO=none
STP=on
DELAY=0DEVICE=eth0
TYPE=Ethernet
ONBOOT=yes
BOOTPROTO=none
BRIDGE=br0DEVICE=br0.100
BOOTPROTO=none
ONBOOT=yes
IPADDR=192.168.100.1
NETMASK=255.255.255.0
VLAN=yesApply network configuration
Activate the persistent network configuration you just created.
sudo netplan applyCreate VM tap interfaces for VLAN access
Set up tap interfaces that virtual machines can connect to for accessing specific VLANs.
sudo ip tuntap add dev tap-vm1 mode tap
sudo ip link set dev tap-vm1 master br0
sudo bridge vlan add dev tap-vm1 vid 100 pvid untagged
sudo ip link set dev tap-vm1 upEnable IP forwarding for inter-VLAN routing
Allow traffic to flow between different VLAN segments through the bridge host.
echo 'net.ipv4.ip_forward=1' | sudo tee -a /etc/sysctl.conf
sudo sysctl -pConnect virtual machines to VLAN bridges
Configure QEMU/KVM for bridge networking
Create a network configuration for libvirt to use your VLAN-aware bridges.
vlan-network
sudo virsh net-define /etc/libvirt/qemu/networks/vlan-network.xml
sudo virsh net-start vlan-network
sudo virsh net-autostart vlan-networkAttach VM to specific VLAN
Configure a virtual machine to connect to a specific VLAN through the bridge interface.
sudo virt-install \
--name test-vm \
--memory 1024 \
--vcpus 1 \
--disk path=/var/lib/libvirt/images/test-vm.qcow2,size=10 \
--network bridge=br0,model=virtio \
--graphics none \
--console pty,target_type=serial \
--location http://archive.ubuntu.com/ubuntu/dists/jammy/main/installer-amd64/ \
--extra-args 'console=ttyS0,115200n8 serial'Configure VM for VLAN tagging
Inside the virtual machine, configure the network interface to use VLAN tagging.
network:
version: 2
ethernets:
ens3:
dhcp4: false
vlans:
ens3.100:
id: 100
link: ens3
dhcp4: trueAdvanced VLAN bridge configuration
Set up VLAN access ports
Create access ports that automatically assign VMs to specific VLANs without requiring VLAN configuration inside the VM.
sudo ip tuntap add dev tap-vlan100 mode tap
sudo ip link set dev tap-vlan100 master br0
sudo bridge vlan del dev tap-vlan100 vid 1
sudo bridge vlan add dev tap-vlan100 vid 100 pvid untagged
sudo ip link set dev tap-vlan100 upConfigure VLAN trunk ports
Set up trunk ports that can carry multiple VLANs to virtual switches or other network equipment.
sudo ip tuntap add dev tap-trunk mode tap
sudo ip link set dev tap-trunk master br0
sudo bridge vlan add dev tap-trunk vid 100
sudo bridge vlan add dev tap-trunk vid 200
sudo bridge vlan add dev tap-trunk vid 300
sudo ip link set dev tap-trunk upMonitor bridge and VLAN status
Use these commands to monitor your bridge configuration and VLAN assignments.
sudo bridge link show
sudo bridge vlan show
sudo bridge fdb show
ip link show type bridgeVerify your setup
Test your VLAN bridge configuration with these verification commands:
ip link show br0
bridge vlan show
ip addr show br0.100
ip addr show br0.200
ip addr show br0.300
ping -c 3 192.168.100.1
ping -c 3 192.168.200.1
cat /proc/net/vlan/configCheck that virtual machines can communicate within their VLANs:
sudo tcpdump -i br0 -n vlan
sudo brctl show
cat /sys/class/net/br0/bridge/vlan_filteringCommon issues
| Symptom | Cause | Fix |
|---|---|---|
| VMs can't reach network | Bridge not connected to physical interface | Check ip link show and add interface to bridge |
| VLAN tags not working | 8021q module not loaded | Run sudo modprobe 8021q and add to /etc/modules |
| Inter-VLAN routing fails | IP forwarding disabled | Enable with echo 1 > /proc/sys/net/ipv4/ip_forward |
| Bridge shows down status | No active member interfaces | Add physical interface with ip link set eth0 master br0 |
| VLAN filtering not active | Bridge created without VLAN support | Enable with ip link set br0 type bridge vlan_filtering 1 |
| VM network unreachable after reboot | Network configuration not persistent | Configure Netplan or network scripts properly |
Performance tuning
Optimize bridge performance
Adjust bridge parameters for better performance in high-traffic scenarios.
echo 0 > /sys/class/net/br0/bridge/multicast_snooping
echo 0 > /sys/class/net/br0/bridge/stp_state
ip link set dev br0 txqueuelen 1000Enable hardware VLAN acceleration
Check if your network interface supports VLAN hardware acceleration and enable it.
ethtool -k eth0 | grep vlan
sudo ethtool -K eth0 rx-vlan-offload on
sudo ethtool -K eth0 tx-vlan-offload onNext steps
- Configure HAProxy with service discovery for load balancing across VLAN segments
- Set up cgroups v2 to manage VM and container resources
- Configure Open vSwitch for more advanced virtual networking features
- Implement Kubernetes network policies for container network segmentation
- Set up site-to-site VPN to connect VLAN networks across locations