SH
SHELL
AI Powered Learning Portal
The Virtual Wire: VLANs and Bonding
·TechSoftware Development

The Virtual Wire: VLANs and Bonding

Master the architecture of high-availability networking. Learn to use 'Bonding' to combine multiple network cards into a single, faster, and redundant link. Explore 'VLANs' to separate your traffic without adding more physical wires.

linuxnetworkingvlanbondinglacphasysadmininfrastructure

VLANs and Bonding: Redundancy and Segmentation

In a production data center, a single cable unplugged should never take down a server. Similarly, you shouldn't have to buy a new physical network card every time you want to create a new private network.

Linux handles these challenges with two features:

  1. Bonding (Aggregation): Glues two or more network cards together so they look like one. If one cable breaks, the server keeps running.
  2. VLANs (Virtual LANs): Allows a single network card to participate in 10 or 20 different "Private Networks" at once by using digital "Tags" (802.1Q).

In this lesson, we will learn how to configure these "Enterprise-Grade" network features.

1. Network Bonding: One for All

Bonding (also called "Teaming" or "Etherchannel") combines eth0 and eth1 into a new virtual interface: bond0.

The Most Common Modes:

  • Mode 1 (Active-Backup): One card works, the other sleeps. If Card A fails, Card B wakes up in milliseconds. Perfect for reliability.
  • Mode 4 (LACP): Combines the speed of both cards (e.g., 10Gb + 10Gb = 20Gb). Requires a specialized network switch.

Configuration with nmcli:

# 1. Create the master bond interface
sudo nmcli con add type bond con-name bond0 ifname bond0 mode active-backup

# 2. Add the physical cards as "slaves" to the master
sudo nmcli con add type ethernet con-name bond0-port1 ifname eth0 master bond0
sudo nmcli con add type ethernet con-name bond0-port2 ifname eth1 master bond0

# 3. Bring it all up
sudo nmcli con up bond0

2. VLANs: Separation without Wires

A VLAN allows you to segment your network. For example:

  • VLAN 10: Admin and Management.
  • VLAN 20: Public Web Traffic.
  • VLAN 100: Private Database Traffic.

Even though you have one cable, the data for each VLAN is kept strictly separate by the Kernel.

Configuration (The Tagging Concept):

The new interface will be named physical_name.VLAN_ID (e.g., eth0.10).

# Add a VLAN 10 interface to eth0
sudo ip link add link eth0 name eth0.10 type vlan id 10
sudo ip addr add 10.10.10.5/24 dev eth0.10
sudo ip link set eth0.10 up

3. The Combined Architecture

In high-end servers, we often Combine these. We bond two 10Gb cards together for redundancy (bond0), and then we create VLANs on top of the bond (bond0.10).

graph TD
    Switch[Network Switch] -- Cable 1 --> Nic1[eth0]
    Switch -- Cable 2 --> Nic2[eth1]
    Nic1 --> Bond[bond0 - Redundancy]
    Nic2 --> Bond
    Bond --> V1[bond0.10 - Private]
    Bond --> V2[bond0.20 - Public]

4. Practical: The "Heartbeat" Check

If a bond fails, the system logs usually show which specific port went down.

# See the real-time status of your bond (Which card is currently active?)
cat /proc/net/bonding/bond0

5. Identifying VLAN Leaks

A "Misconfigured Trunk" at the switch level can sometimes send the wrong VLAN traffic to your server.

# See if your card is receiving any tagged traffic
sudo tcpdump -i eth0 vlan

6. Example: A bonding Stress-Tester (Python)

How do you know if your failover actually works? You need to simulate a failure and measure the "Blackout Time." Here is a Python script that pings through a bond while you "unplug" a card in software.

import subprocess
import time

def test_bond_failover(interface_to_cut, target_ip="8.8.8.8"):
    """
    Simulates a network card failure to test bonding resilience.
    """
    print(f"Starting Failover Test on {interface_to_cut}...")
    print("Press Ctrl+C to stop simulation.")
    
    try:
        # Start a continuous ping in the background
        while True:
            # -c 1: one packet, -W 1: 1 second timeout
            res = subprocess.run(["ping", "-c", "1", "-W", "1", target_ip], 
                                 stdout=subprocess.DEVNULL, stderr=subprocess.DEVNULL)
            
            if res.returncode == 0:
                print(".", end="", flush=True)
            else:
                print("!", end="", flush=True)
            
            time.sleep(0.1)
            
    except KeyboardInterrupt:
        print("\nTest Complete.")

if __name__ == "__main__":
    # INSTRUCTIONS:
    # 1. Run this script
    # 2. In another terminal, run: sudo ip link set eth1 down
    # 3. Watch for the '!' or see if '.' continues without interruption
    test_bond_failover("eth1")

7. Professional Tip: Check 'LACP' Status

If you are using Mode 4 (LACP), the server and the switch must "Negotiate" the connection. If the switch says "No," the link will be much slower or fail. Always check the LACP Partner State in /proc/net/bonding/bond0.

8. Summary

Bonding and VLANs are the tools of the infrastructure architect.

  • Bonding Mode 1 is for high-availability.
  • Bonding Mode 4 (LACP) is for high-speed.
  • VLANs use 802.1Q tags to run multiple networks over one wire.
  • /proc/net/bonding/ is the diagnostic center for bonded links.
  • nmcli or Netplan are the best ways to configure these permanently.

In the next lesson, we will learn how to secure the gateway to these networks: VPNs and Secure Tunnels (WireGuard and OpenVPN).

Quiz Questions

  1. Why would a sysadmin choose "Active-Backup" (Mode 1) over "LACP" (Mode 4)?
  2. What does the "dot" syntax (e.g., eth0.50) represent in Linux networking?
  3. How can you verify which physical link is currently carrying the traffic in a bonded pair?

Continue to Lesson 5: VPNs and Secure Tunnels—WireGuard and OpenVPN.

Previous LessonThe Iron Gate: Advanced Firewalling with nftables
Next LessonThe Invisible Tunnel: VPNs and WireGuard

Subscribe to our newsletter

Get the latest posts delivered right to your inbox.

Subscribe on LinkedIn