Master Linux Virtual Network Interfaces: Tap, Tun, Veth, Bridge, VLAN, MACVLAN & MACVTAP

Tap (Virtual Ethernet) and Tun (Virtual Tunnel) Devices

Tap and Tun are virtual network interface devices introduced after Linux kernel 2.4, also known as vNICs. They are fully software‑implemented devices that allow user‑space applications to exchange packets with the kernel network stack.

Tap operates at the data‑link layer, implements Ethernet, can handle Ethernet frames, and can be bridged with physical NICs, supporting layer‑2 broadcast.

Tun operates at the network layer, supports IP routing but cannot be bridged with physical NICs; it implements overlay tunnel protocols such as VxLAN or GRE for point‑to‑point tunnels.

Both Tap and Tun are managed by the Linux network device subsystem and require drivers consisting of a character‑device driver and a network‑card driver.

Tap/Tun Character Device Driver

Data transfer between kernel space and user space can be performed via character devices. The character device files are:

Tap: /dev/tap0 Tun: /dev/net/tun When a user application opens a character device, the driver creates and registers a virtual network interface (named tapX or tunX). Closing the file removes the interface and associated routing entries. Read/write operations on the file allow direct packet exchange with the kernel network stack.

Tap/Tun Network‑Card Driver

The virtual NIC appears to the kernel as a regular network card and follows the usual "probe‑register‑call" framework. The main difference from physical NIC drivers is that the virtual driver connects to a user‑space vNIC instead of a physical NIC.

Veth‑pair (Virtual Ethernet Cable)

Veth‑pair creates two linked virtual interfaces (e.g., veth0 and veth1) that act like a virtual Ethernet cable. Packets sent on one end are reflected and re‑entered into the kernel network stack, similar to the loopback device.

Execute ping 10.1.1.3 -I veth0 to send an ICMP echo request via veth0.

The packet traverses the ARP subsystem, obtains a destination MAC address, and is handed to veth1 through the Veth‑pair link. veth1 reverses the packet direction, re‑injecting it into the network stack.

The stack builds an ICMP echo reply, routes it to the loopback interface, and finally returns the reply to the ping command.

Bridge (Virtual Switch)

A Linux bridge provides layer‑2 frame forwarding and can bind multiple Ethernet devices (physical or virtual). It learns MAC‑to‑port mappings and forwards, drops, or floods frames accordingly.

Determine frame type (broadcast, unicast, etc.).

Lookup MAC‑Port mapping to decide forwarding or dropping.

Perform the actual forwarding.

Update the MAC‑Port learning table.

Unlike a physical switch, a Linux bridge is a virtual network device that can also be assigned an IP address, allowing user‑space applications to send packets to the bridge for layer‑2 switching.

brctl Command Examples

# Create a bridge
brctl addbr br-test
# Add a physical interface to the bridge
brctl addif br-test enp4s0
# Delete a bridge
brctl delbr br-test
# Show bridge information
brctl show
# Enable or disable STP
brctl stp br-test on|off
# Set interface to promiscuous mode
ifconfig eth0 0.0.0.0 promisc

Creating a Bridge

$ brctl addbr br0
$ ip link set br0 up

Connecting Veth‑pair to a Bridge

# Create Veth‑pair
ip link add veth0 type veth peer name veth1
# Assign IP addresses
ip addr add 192.168.3.101/24 dev veth0
ip addr add 192.168.3.102/24 dev veth1
ip link set veth0 up
ip link set veth1 up
# Attach one end to the bridge
brctl addif br0 veth0

After attaching veth0 to br0, veth0 becomes a bidirectional channel to the bridge, while its traffic to the network stack becomes unidirectional (only receiving from the stack).

Assigning an IP Address to the Bridge

# Move IP from veth0 to the bridge
ip addr del 192.168.3.101/24 dev veth0
ip addr add 192.168.3.101/24 dev br0

Adding a Physical NIC to the Bridge

# Attach eth0 to the bridge
brctl addif br0 eth0
# Remove old IP from eth0 and set default route via the bridge
ip addr del 192.168.3.21/24 dev eth0
ip route add default via 192.168.3.1 dev br0
# Enable promiscuous mode on eth0
ifconfig eth0 0.0.0.0 promisc

Network Namespace

A network namespace provides isolation of network resources (interfaces, IP stacks, routing tables, firewall rules, sockets, etc.) at the OS level. Each namespace can have its own set of virtual devices, and devices can be linked across namespaces using Veth‑pair.

VLAN Sub‑Interface

VLAN sub‑interfaces implement 802.1Q tagging, allowing multiple virtual interfaces on a single physical NIC, each with its own VLAN ID. The parent device acts as a trunk, while each child acts as an access port.

MACVLAN Sub‑Interface

MACVLAN creates multiple virtual interfaces on a physical NIC, each with an independent MAC address. It does not provide VLAN‑level broadcast isolation; all MACVLAN interfaces share the same broadcast domain.

$ modprobe macvlan
$ lsmod | grep macvlan
macvlan               24576  0

MACVLAN Modes

Private : Each interface has its own MAC and cannot communicate directly with sibling interfaces.

Bridge : Provides intra‑MACVLAN communication via an internal bridge without needing MAC learning or STP.

VEPA : Traffic from a MACVLAN interface is sent to an external switch (TOR) and returned on the same port, useful for VM traffic monitoring.

MACVTAP Sub‑Interface

MACVTAP combines MACVLAN and Tap features, allowing packets received on a MACVTAP interface to be delivered directly to a user‑space application via /dev/tapX, providing a software‑based SR‑IOV‑like capability.