Chapter 7. Configure 802.1Q VLAN tagging

To create a VLAN, an interface is created on top of another interface referred to as the parent interface. The VLAN interface will tag packets with the VLAN ID as they pass through the interface, and returning packets will be untagged. VLAN interface can be configured similarly to any other interface. The parent interface does not need to be an Ethernet interface. An 802.1Q VLAN tagging interface can be created on top of bridge, bond, and team interfaces, however there are some things to note:
  • In the case of VLANs over bonds, it is important that the bond has slaves and that they are up before opening the VLAN interface. Adding a VLAN interface to a bond without slaves does not work.
  • A VLAN slave cannot be configured on a bond with the fail_over_mac=follow option, because the VLAN virtual device cannot change its MAC address to match the parent's new MAC address. In such a case, traffic would still be sent with the now incorrect source MAC address.
  • Sending VLAN tagged packets through a network switch requires the switch to be properly configured. For example, ports on Cisco switches must be assigned to one VLAN or be configured as trunk ports to accept tagged packets from multiple VLANs. Some vendor switches allow untagged frames of the native VLAN to be processed by a trunk port. Some devices allow you to enable or disable the native VLAN, other devices have it disabled by default. Consequence of this disparity may result in native VLAN misconfiguration between two different switches, posing a security risk. For example:
    One switch uses native VLAN 1 while the other uses native VLAN 10. If the frames are allowed to pass without the tag being inserted, an attacker is able to jump VLANs - this common network penetration technique is also known as VLAN hopping.
    To minimize security risks, configure your interface as follows:
    • Unless you need them, disable trunk ports.
    • If you need trunk ports, disable native VLAN, so that untagged frames are not allowed.
    Red Hat Enterprise Linux server
    • Use the nftables or ebtables utilities to drop untagged frames in ingress filtering.
  • Some older network interface cards, loopback interfaces, Wimax cards, and some InfiniBand devices, are said to be VLAN challenged, meaning they cannot support VLANs. This is usually because the devices cannot cope with VLAN headers and the larger MTU size associated with tagged packets.


Bonding on top of VLAN is not supported by Red Hat. See the Red Hat Knowledgebase article Whether configuring bond on top of VLAN as slave interfaces is a valid configuration? for more information.

7.1. Selecting VLAN Interface Configuration Methods