Unlock Linux’s Virtual Network Devices: Bridges, VLANs, TAP & VETH Explained

Principles and Usage of Abstract Network Devices

Network virtualization is a key part of cloud environments. This article details the principles, usage, and data flow of various Linux abstract network devices, enabling readers to configure Linux network devices for specific purposes and diagnose potential network faults.

Introduction to Linux Abstract Network Devices

Similar to disk devices, Linux users cannot operate hardware directly for networking; instead they interact with abstract network devices such as eth0 . Each hardware or virtual NIC creates a device instance. Advanced virtual network devices—Bridge, 802.1q VLAN, VETH, TAP—are introduced and explained.

Working Principles of Related Network Devices

Bridge

Bridge operates at Layer 2, similar to a physical switch. It can attach other devices, broadcast, forward, or drop frames based on MAC information.

When a device is attached, the kernel registers a receive handler via netdev_rx_handler_register(). Incoming frames trigger br_handle_frame(), which decides broadcast or unicast handling, updates the MAC table, and may learn new MAC addresses.

Bridge can also have an IP address; the IP is associated with a hidden virtual NIC that the kernel treats as a regular network device, allowing routing and IP‑based communication.

Note that attaching a device to a bridge disables the device’s original IP for Layer 3 reception; the IP should be moved to the bridge.

VLAN device for 802.1q

VLAN (Virtual LAN) implements the 802.1q tag in Layer 2 frames. Linux creates a parent‑child relationship: the parent acts like a trunk, and each child represents a VLAN interface (e.g., eth0.100).

Outgoing frames from a child device are tagged and sent via the parent; incoming frames are examined for a matching VLAN tag and delivered to the appropriate child, or dropped if no match exists. All VLAN interfaces share the same MAC address, and isolation is provided without switching functionality. Combining a Bridge with VLAN devices can emulate a full‑featured 802.1q switch.

TAP and VETH Devices

TAP (a Layer 2 TUN/TAP device) allows user‑space programs to inject or receive Ethernet frames via a character device. VETH creates a pair of linked interfaces; packets written to one appear as received on the other, effectively reversing direction.

When a TAP device is created, programs can read() and write() to it, simulating a network card. VETH pairs are used to connect virtual devices together, with the kernel forwarding packets between the pair.

Network Configuration Examples

A sample topology includes a central bridge bridge0 with two VETH pairs, one TAP device tap0, and a physical NIC eth0. Two VLAN sub‑devices ( vlan100 and vlan200) are attached to the VETH ends, and eth0 also has a VLAN 200 child.

ARP from vlan100 child device

The ARP request is generated on vlan100, tagged, passed through the VETH pair, reaches bridge0, is broadcast to all attached ports, and eventually arrives at the destination TAP or physical NIC.

ARP from vlan200 child device

Similar to the previous case, but the VLAN ID is 200 and the child device is configured with reorder_hdr = 0, preserving the tag on reception.

ARP from central bridge

If bridge0 has an IP address, the kernel can send ARP directly from the bridge; TAP and external networks receive it, while VLAN children may filter it based on their IDs.

ARP from external network to VLAN 200

External traffic arriving on a port configured for VLAN 200 is delivered to all VLAN 200 interfaces, optionally retaining the tag.

Ping from TAP device

Assigning an IP to tap0 and routing it allows ping‑generated ARP requests, but because the request originates from TAP (a sending direction), the ARP is not forwarded to the bridge.

File‑operation based packet injection on TAP

Writing to the TAP character device triggers the kernel to treat the data as received, causing it to be forwarded through the bridge and VLAN processing.

Example Commands for Configuring Network Devices on Linux

Create bridge: brctl addbr [BRIDGE_NAME] Delete bridge: brctl delbr [BRIDGE_NAME] Attach device to bridge: brctl addif [BRIDGE_NAME] [DEVICE_NAME] Detach device from bridge: brctl delif [BRIDGE_NAME] [DEVICE_NAME] Show bridge status: brctl show Create VLAN device: vconfig add [PARENT_DEVICE] [VLAN_ID] Delete VLAN device: vconfig rem [VLAN_DEVICE] Set VLAN flag: vconfig set_flag [VLAN_DEVICE] [FLAG] [VALUE] Set egress map:

vconfig set_egress_map [VLAN_DEVICE] [SKB_PRIORITY] [VLAN_QOS]

Set ingress map:

vconfig set_ingress_map [VLAN_DEVICE] [SKB_PRIORITY] [VLAN_QOS]

Show VLAN info: cat /proc/net/vlan/[VLAN_DEVICE] Create VETH pair: ip link add link [DEVICE] type veth Create TAP device: tunctl -p [TAP_NAME] Delete TAP device: tunctl -d [TAP_NAME] List all Layer‑2 devices: ip link show Delete a generic device:

ip link delete [DEVICE] type [TYPE]

Conclusion

Linux provides a comprehensive set of tools for creating and managing virtual network devices, enabling the construction of custom internal networks for applications, including basic cloud‑native virtual networking.

Original link: http://www.ibm.com/developerworks/cn/linux/1310_xiawc_networkdevice/index.html#icomments