I segmented a shared switching fabric into four 802.1Q VLANs by trust level and carried them over a single tagged trunk. Tag-based isolation kept management, production, IoT, and DMZ traffic on separate broadcast domains across one physical link.

Objective & Context

VLANs partition a switch into isolated Layer 2 domains; 802.1Q tags identify each frame's VLAN across trunk links. This lab maps the same four-zone model used in the Proxmox zero-trust build, enforcing segmentation that complements Layer 3 routing and ACLs.

Environment & Prerequisites

  • A managed switch (or Linux bridge with 8021q) and two hosts.
  • VLAN plan: 10 Mgmt, 20 Prod, 30 IoT, 40 DMZ.
  • iproute2 with the 8021q module loaded.

Step-by-Step Execution

1. Create a tagged VLAN interface on Linux [PRIVILEGED]

ip link add link eth0 name eth0.20 type vlan id 20 && ip addr add 192.168.20.1/24 dev eth0.20

2. Cisco access and trunk ports

switchport mode access ; switchport access vlan 20
switchport mode trunk ; switchport trunk allowed vlan 10,20,30,40

3. Verify VLAN assignment

show vlan brief
VLAN Name      Status    Ports
20   PROD      active    Gi0/2
40   DMZ       active    Gi0/4

Validation & Testing

Place two hosts in different VLANs and confirm they cannot reach each other at Layer 2 without routing. Pass criteria: intra-VLAN traffic succeeds, inter-VLAN traffic requires the router, and trunk carries all tagged VLANs.

Advanced: Troubleshooting
  • No connectivity on a VLAN: confirm the trunk allows that VLAN ID on both ends.
  • Native VLAN mismatch: align native VLAN to avoid tag leakage.
  • Linux tag dropped: ensure the 8021q module is loaded and the NIC passes tagged frames.

Key Results

  • Isolated 4 trust domains over a single physical trunk link.
  • Verified zero inter-VLAN leakage without an explicit routing path.
  • Reduced broadcast scope per segment to a single VLAN.
  • Aligned switching segmentation to the 4-VLAN zero-trust model.