Chapter 10. Configure 802.1Q VLAN tagging
- In the case of VLANs over bonds, it is important that the bond has slaves and that they are “up” before opening the VLAN interface. Adding a VLAN interface to a bond without slaves does not work.
- A VLAN slave cannot be configured on a bond with the
fail_over_mac=followoption, because the VLAN virtual device cannot change its MAC address to match the parent's new MAC address. In such a case, traffic would still be sent with the now incorrect source MAC address.
- Sending VLAN tagged packets through a network switch requires the switch to be properly configured. For example, ports on Cisco switches must be assigned to one VLAN or be configured as trunk ports to accept tagged packets from multiple VLANs. Some vendor switches allow untagged frames of the native VLAN to be processed by a trunk port. Some devices allow you to enable or disable the native VLAN, other devices have it disabled by default. Consequence of this disparity may result in native VLAN misconfiguration between two different switches, posing a security risk. For example:One switch uses native VLAN 1 while the other uses native VLAN 10. If the frames are allowed to pass without the tag being inserted, an attacker is able to jump VLANs - this common network penetration technique is also known as VLAN hopping.To minimize security risks, configure your interface as follows:
- Unless you need them, disable trunk ports.
- If you need trunk ports, disable native VLAN, so that untagged frames are not allowed.
- Red Hat Enterprise Linux server
- Use the nftables or ebtables utilities to drop untagged frames in ingress filtering.
- Some older network interface cards, loopback interfaces, Wimax cards, and some InfiniBand devices, are said to be VLAN challenged, meaning they cannot support VLANs. This is usually because the devices cannot cope with VLAN headers and the larger MTU size associated with tagged packets.
10.1. Selecting VLAN Interface Configuration Methods
- To configure a VLAN interface using NetworkManager's text user interface tool, nmtui, proceed to Section 10.2, “Configure 802.1Q VLAN tagging Using the Text User Interface, nmtui”
- To configure a VLAN interface using NetworkManager's command-line tool, nmcli, proceed to Section 10.3, “Configure 802.1Q VLAN Tagging Using the Command Line Tool, nmcli”
- To configure a network interface manually, see Section 10.4, “Configure 802.1Q VLAN Tagging Using the Command Line”.
- To configure a network using graphical user interface tools, proceed to Section 10.5, “Configure 802.1Q VLAN Tagging Using a GUI”