Linux enables us to create advanced network setups which provide us with special features like NIC Bonding, VLAN tagging or Bridging allowing us to increase network connectivity efficiency and reliability of Linux based hosts.
Linux Bond is a kernel module which facilitates combining multiple network interfaces (like ens1f0, ens1f1) into aggregated links named Bonds to provide network redundancy, link failover and increased throughput.
VLAN tagging (802.1q) helps us to distinguish particular VLANs from network trunk (VLANs range) coming from the switch. It’s very helpful Linux kernel module, which enables us to connect to the multiple networks, if the server has less NICs than networks.
Linux Bridge behaves like L2 network switch, allowing us to connect multiple interfaces – this is helpful network sharing technique commonly used in Linux Virtualization (like KVM).
Putting all these features together can make Linux based host even more powerful and bulletproof server in the network.
In this article I would like to present how to create a VLAN tagged interface on top of Linux Bond and then a bridge interface based on VLAN tagged interface in CentOS 7.
If all you need is to setup a simple VLAN tagged interface (not a bridge) over a LACP bond, you can check the following post:
Configure VLAN tagged interface over LACP bond on CentOS / RHEL
There are several types of Linux Bond modes, in this article I am using Linux Bonding Mode 4 wich is a LACP (Link Aggregation Control Protocol, 802.3ad) based mode.
The whole interface stack used in this article looks as follows:
bond0 (enp2s0f0 + enp3s0f0) -> bond0.3502@bond0 -> br-mgmt
0. Prerequisites
Stop and disable NetworkManager:
[root@infra1 ~]# systemctl stop NetworkManager
[root@infra1 ~]# systemctl disable NetworkManager
Make sure, that 8021q module (responsible for VLAN tagging) is enabled in the system:
[root@infra1 ~]# lsmod | grep 8021q
8021q 33080 0
garp 14384 1 8021q
mrp 18542 1 8021q
If it’s not enabled, enable it manually:
[root@infra1 ~]# modprobe --first-time 8021q
Install bridge utilities package:
[root@infra1 ~]# yum install bridge-utils
1. Linux Bond (Mode 4 – LACP, 802.3ad) configuration
bond0 is a LACP based bonded interface, including two slave interfaces: enp2s0f0 and enp3s0f0.
Modify corresponding files accordingly:
/etc/sysconfig/network-scripts/ifcfg-bond0 configuration file:
DEVICE=bond0
TYPE=Bond
ONBOOT=yes
BONDING_OPTS="mode=802.3ad miimon=100 lacp_rate=fast"
NM_CONTROLLED=no
MTU="9000"
/etc/sysconfig/network-scripts/ifcfg-enp2s0f0 configuration file:
TYPE=Ethernet
BOOTPROTO=none
DEVICE=enp2s0f0
ONBOOT=yes
NM_CONTROLLED=no
SLAVE=yes
MASTER=bond0
/etc/sysconfig/network-scripts/ifcfg-enp3s0f0 configuration file:
TYPE=Ethernet
BOOTPROTO=none
DEVICE=enp3s0f0
ONBOOT=yes
NM_CONTROLLED=no
SLAVE=yes
MASTER=bond0
2. VLAN tagged interface configuration on top of the bonded interface
Let’s assume we have tagged VLAN 3502 configured (probably in trunk with other VLANs) on switch ports where both LACP slave links are connected, now we can “extract” VLAN 3502 from trunk by means of creating a corresponding VLAN tagged interface on top of the Bond.
/etc/sysconfig/network-scripts/ifcfg-bond0.3502 configuration file:
DEVICE=bond0.3502
ONPARENT=yes
BOOTPROTO=none
VLAN=yes
NM_CONTROLLED=no
BRIDGE=br-mgmt
The VLAN parameter and interface name (including dot) bond0.3502 means that we intend to create VLAN 3502 tagged interface based on bond0 interface.
The ONPARENT parameter to make sure that VLAN interface bond0.3502 does not come up before bond0 interface. VLAN interface inherits MAC address of the parent interface, so it should not be grought up before the parent interface.
The BRIDGE parameter indicates that the VLAN tagged interface will belong to the bridge br-mgmt.
3. Bridge interface configuration based on the VLAN tagged interface
Now create bridge configuration file to let us create the br-mgmt bridge over the VLAN tagged bond0.3502 interface.
A sample /etc/sysconfig/network-scripts/ifcfg-br-mgmt configuration file:
DEVICE=br-mgmt
TYPE=Bridge
ONBOOT=yes
BOOTPROTO=none
DEFROUTE=no
IPADDR=192.168.1.11
PREFIX=24
DELAY=0
MTU="9000"
NM_CONTROLLED=no
ZONE=trusted
4. Verify network configuration
Now restart the network service:
[root@infra1 ~]# systemctl restart network
Verify, if Bonding (LACP) is configured and operational:
[root@infra1 ~]# cat /proc/net/bonding/bond0
Ethernet Channel Bonding Driver: v3.7.1 (April 27, 2011)
Bonding Mode: IEEE 802.3ad Dynamic link aggregation
Transmit Hash Policy: layer2+3 (2)
MII Status: up
MII Polling Interval (ms): 100
Up Delay (ms): 0
Down Delay (ms): 0
...
..
.
Verify VLAN tagged interface on top of the Bond:
[root@infra1 ~]# ip addr show bond0.3502
10: bond0.3502@bond0: mtu 9000 qdisc noqueue master br-mgmt state UP group default qlen 1000
link/ether 90:e2:ba:0b:cb:f2 brd ff:ff:ff:ff:ff:ff
inet6 fe80::92e2:baff:fe0b:cbf2/64 scope link
valid_lft forever preferred_lft forever
Finally, verify bridge interface created from VLAN tagged interface:
[root@infra1 ~]# ip addr show br-mgmt
11: br-mgmt: mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether 90:e2:ba:0b:cb:f2 brd ff:ff:ff:ff:ff:ff
inet 192.168.1.11/24 brd 192.168.1.255 scope global br-mgmt
valid_lft forever preferred_lft forever
inet 192.168.1.10/24 scope global secondary br-mgmt
valid_lft forever preferred_lft forever
inet6 fe80::92e2:baff:fe0b:cbf2/64 scope link
valid_lft forever preferred_lft forever