How Linux implements VLANs

The LAN represents the local area network, which is usually used by the Hub and Switch to connect to the computer on the LAN.
In general, when two computers are connected to the same Hub or Switch, they are on the same LAN.

A LAN represents a broadcast domain. This means that all members of the LAN receive a broadcast packet from any one member.

VLANs represent Virtual LANs. A switch with VLAN capability can divide its own port into multiple LANs.
The broadcast packets sent by the computer can be received by other computers on the same LAN, but computers on other LANs will not be able to receive them. Simply put, the VLAN divides a switch into multiple switches, limits the broadcast scope, and isolates the computer to different VLANs at layer two.

For example, there are two sets of machines, group A and B.
We want to configure the machines in group A to access each other, and the machines in Group B can also access each other, but the machines in A and B cannot access each other.
One way is to use two switches, a and B are connected to a switch. Another approach is to use a VLAN-capable switch that places a and B machines in separate VLANs.

Note that the isolation of VLANs is isolated on layer two, and A and B cannot access each other by means of a two-layer broadcast packet (such as ARP) that does not span the boundaries of the VLAN.
But on the three layer (such as IP) can be through the router to let a and B interoperability. The concept must distinguish.

Today's switches are almost always VLAN-supported. There are usually two configuration modes for the port of the switch: Access and Trunk. See

Access Port
These ports are tagged with a VLAN that indicates which VLAN the port belongs to. Different VLANs are distinguished by VLAN IDs, and the range of VLAN IDs is 1-4096. Access ports are directly connected to the computer's network card, so that packets coming out of the NIC flow into the access port and are tagged with the VLAN on which they reside. An Access port can belong to only one VLAN.

Trunk Port
Suppose there are two switches a and B. A has VLAN1 (red), VLAN2 (yellow), VLAN3 (blue), B also has VLAN1, 2, 3 that how to let AB on the same VLAN between the communication?

The solution is to connect A and B together, and the ports of A and B are allowed to pass data for VLAN1, 2, 33 VLANs.
Such a port is the trunk mouth. VLAN1, 2, and 3 packets always carry their own VLAN tags as they reach the opposite switch through the Trunk port.

After understanding the concept of VLANs, let's look at how VLANs are implemented in a KVM virtualization environment. Or look at the picture first,

The eth0 is the physical network card on the host and has a sub-device named eth0.10 connected to it. eth0.10 is a VLAN device, and its VLAN ID is VLAN 10. Eth0.10 hangs on the Linux Bridge named Brvlan10, VM VM1 virtual network card vent0 also hangs on the brvlan10.

The effect of this configuration is that the host uses the software to implement a switch (which is, of course, virtual), which defines a VLAN10. Eth0.10,brvlan10 and Vnet0 are respectively connected to the VLAN10 access port. And Eth0 is a Trunk mouth.
VM1 packets sent through Vnet0 will be labeled VLAN10.

The role of eth0.10 is to define the role of VLAN10BRVLAN10: Other network devices on Bridge are automatically added to the VLAN10

Let's add one more VLAN20, see

So the virtual switch has two VLANs, VM1 and VM2 belong to VLAN10 and VLAN20 respectively. For a newly created virtual machine, you can control the VLAN to which it belongs by simply placing its virtual NIC in the appropriate Bridge.

VLAN devices are always in the parent-child relationship, and the parent-child device is a one-to-many relationship. A parent device (eth0) can have multiple sub-devices (eth0.10,eth0.20 ...). ), and a child device has only one parent device.

In the next section we will practice the VLAN through experiments.

How Linux implements VLANs