802.1Q VLAN on Linux Configure 802.1Q VLAN sub-interfaces on a HolyCloud dedicated server to isolate public, storage, or management traffic. ~14 min read Advanced #vlan #802.1q #network #dedicated 802.1Q VLAN on Linux The IEEE 802.1Q standard encapsulates Ethernet traffic in tagged VLANs. On a HolyCloud dedicated server with a trunk port, you separate management, production, and storage without multiple NICs. Prerequisites VLANs provisioned on switch/datacenter side (IDs confirmed by HolyCloud) Physical interface connected in trunk mode (not access-only) Root access, network backup before changes SSH cutover risk: keep IPMI/KVM available Concepts [Switch] -- trunk (VLAN 100, 200) --> [eth0] ├── eth0.100 (public) └── eth0.200 (iSCSI storage) The VLAN tag is added by the 8021q module. Load the module sudo modprobe 8021q echo 8021q | sudo tee /etc/modules-load.d/vlan.conf Manual creation (test) ip link show eth0 sudo ip link add link eth0 name eth0.100 type vlan id 100 sudo ip addr add 10.10.100.2/24 dev eth0.100 sudo ip link set eth0.100 up ping -c 2 10.10.100.1 Removal: sudo ip link del eth0.100 Persistence: iproute2 (interfaces) Debian /etc/network/interfaces: auto eth0 iface eth0 inet manual auto eth0.100 iface eth0.100 inet static address 203.0.113.50 netmask 255.255.255.248 gateway 203.0.113.49 vlan-raw-device eth0 auto eth0.200 iface eth0.200 inet static address 192.168.200.10 netmask 255.255.255.0 vlan-raw-device eth0 sudo ifreload -a Netplan network: version: 2 vlans: eth0.100: id: 100 link: eth0 addresses: [203.0.113.50/29] routes: - to: default via: 203.0.113.49 eth0.200: id: 200 link: eth0 addresses: [192.168.200.10/24] sudo netplan apply systemd-networkd /etc/systemd/network/10-eth0.network: [Match] Name=eth0 [Network] VLAN=eth0.100 VLAN=eth0.200 /etc/systemd/network/10-eth0.100.netdev: [NetDev] Name=eth0.100 Kind=vlan [VLAN] Id=100 Associated .network file with Address=. MTU and performance Trunk + VLAN overhead: often MTU 1500 on public VLAN; storage may need jumbo frames (9000) if supported end-to-end. ip link set eth0.200 mtu 9000 Validate with HolyCloud before jumbo on a shared link. Firewall per VLAN sudo nft add table inet filter sudo nft add chain inet filter forward { type filter hook forward priority 0 \; } # isolate: no forward between eth0.100 and eth0.200 except explicit rules Or ufw on named interfaces: ufw allow in on eth0.100 to any port 443 ufw deny in on eth0.200 from any to any Verification ip -d link show type vlan cat /proc/net/vlan/eth0.100 tcpdump -i eth0 -e vlan Common errors | Error | Cause | |--------|-------| | No DHCP/routing | Wrong VLAN ID or access port | | Double tag | Native VLAN misconfigured on switch | | Unstable iSCSI | MTU mismatch, SAN filtering | Migration without outage Create the VLAN interface with a secondary test IP. Validate connectivity from the management switch. Move services to the target VLAN. Remove the old IP on the untagged interface if no longer needed. Need help? Ask HolyCloud support for allowed VLAN IDs, port mode (trunk/access), and associated IP ranges before production configuration. Continue reading Next article Access IPMI / BMC Read
FR