VLAN Configuration with 802.1Q Trunking and Tagging
I segmented a shared switching fabric into four 802.1Q VLANs by trust level and carried them over a single tagged trunk. Tag-based isolation kept management, production, IoT, and DMZ traffic on separate broadcast domains across one physical link.
Objective & Context
VLANs partition a switch into isolated Layer 2 domains; 802.1Q tags identify each frame's VLAN across trunk links. This lab maps the same four-zone model used in the Proxmox zero-trust build, enforcing segmentation that complements Layer 3 routing and ACLs.
Environment & Prerequisites
- A managed switch (or Linux bridge with 8021q) and two hosts.
- VLAN plan: 10 Mgmt, 20 Prod, 30 IoT, 40 DMZ.
- iproute2 with the 8021q module loaded.
flowchart LR
H1[Host A] --> SW[Switch]
SW -->|802.1Q trunk
tags 10,20,30,40| RTR[Router on a stick] SW --> H2[Host B]
tags 10,20,30,40| RTR[Router on a stick] SW --> H2[Host B]
Step-by-Step Execution
1. Create a tagged VLAN interface on Linux [PRIVILEGED]
ip link add link eth0 name eth0.20 type vlan id 20 && ip addr add 192.168.20.1/24 dev eth0.202. Cisco access and trunk ports
switchport mode access ; switchport access vlan 20switchport mode trunk ; switchport trunk allowed vlan 10,20,30,403. Verify VLAN assignment
show vlan briefVLAN Name Status Ports
20 PROD active Gi0/2
40 DMZ active Gi0/4
Validation & Testing
Place two hosts in different VLANs and confirm they cannot reach each other at Layer 2 without routing. Pass criteria: intra-VLAN traffic succeeds, inter-VLAN traffic requires the router, and trunk carries all tagged VLANs.
Advanced: Troubleshooting
- No connectivity on a VLAN: confirm the trunk allows that VLAN ID on both ends.
- Native VLAN mismatch: align native VLAN to avoid tag leakage.
- Linux tag dropped: ensure the 8021q module is loaded and the NIC passes tagged frames.
Key Results
- Isolated 4 trust domains over a single physical trunk link.
- Verified zero inter-VLAN leakage without an explicit routing path.
- Reduced broadcast scope per segment to a single VLAN.
- Aligned switching segmentation to the 4-VLAN zero-trust model.