Advanced_networking
Chapter 25: Advanced Networking
Section titled “Chapter 25: Advanced Networking”Comprehensive Guide to Linux Bonding, Bridging, VLANs, and Network Virtualization
Section titled “Comprehensive Guide to Linux Bonding, Bridging, VLANs, and Network Virtualization”25.1 Network Bonding (NIC Teaming)
Section titled “25.1 Network Bonding (NIC Teaming)”Understanding Network Bonding
Section titled “Understanding Network Bonding”Network bonding combines multiple network interfaces into a single logical interface for increased throughput, redundancy, or both. It’s essential for production environments requiring high availability and performance.
Network Bonding Architecture+------------------------------------------------------------------+| || Network Bonding || || +-------------------------------------------------------------+|| | bond0 (Virtual Interface) ||| | IP: 192.168.1.10/24 ||| +---------------------------+-----------------------------------+|| | || +---------------------+---------------------+ || | | | || v v v || +----------+ +----------+ +----------+ || | eth0 | | eth1 | | eth2 | || | Slave | | Slave | | Slave | || +----------+ +----------+ +----------+ || || Benefits: || +----------------------------------------------------------+ || | • Increased bandwidth (throughput = sum of all interfaces) | || | • Fault tolerance (if one link fails, others take over) | || | • Load balancing | || | • High availability | || +----------------------------------------------------------+ || |+------------------------------------------------------------------+Bonding Modes Explained
Section titled “Bonding Modes Explained” Bonding Modes Comparison+------------------------------------------------------------------+| || Mode 0: Round-Robin (balance-rr) || +----------------------------------------------------------+ || | • Packets sent in sequential order across all slaves | || | • Provides load balancing and fault tolerance | || | • Requires switch support for LACP (not required) | || | • Example: eth0→eth1→eth2→eth0→... | || +----------------------------------------------------------+ || || Mode 1: Active-Backup (active-backup) || +----------------------------------------------------------+ || | • Only one slave active at a time | || | • Other slaves standby | || | • Failover when active slave fails | || | • Simple, widely compatible | || | • MAC address always from active slave | || +----------------------------------------------------------+ || || Mode 2: XOR (balance-xor) || +----------------------------------------------------------+ || | • Uses source MAC XOR destination MAC for selection | || | • Provides load balancing and fault tolerance | || | • Consistent mapping between source/dest | || | • Good for single MAC destination (local switch) | || +----------------------------------------------------------+ || || Mode 3: Broadcast (broadcast) || +----------------------------------------------------------+ || | • Sends all traffic on all slaves | || | • Provides fault tolerance only | || | • Should only be used with specific applications | || | • Creates duplicate traffic | || +----------------------------------------------------------+ || || Mode 4: 802.3ad (LACP) || +----------------------------------------------------------+ || | • IEEE 802.3ad Link Aggregation Control Protocol | || | • Requires switch with LACP support | || | • Dynamic aggregation | || | • Best for load balancing with switch awareness | || | • Load balancing based on (src,dst) MAC and port | || +----------------------------------------------------------+ || || Mode 5: TLB (balance-tlb) || +----------------------------------------------------------+ || | • Transmit Load Balancing | || | • Outgoing load balanced based on load | || | • Incoming from specific slave | || | • Does not require special switch configuration | || +----------------------------------------------------------+ || || Mode 6: ALB (balance-alb) || +----------------------------------------------------------+ || | • Adaptive Load Balancing | || | • Includes receive load balancing (ARP) | || | • Uses ARP negotiation to balance incoming traffic | || | • Does not require switch configuration | || +----------------------------------------------------------+ || |+------------------------------------------------------------------+Creating Bond Interface with ip Command
Section titled “Creating Bond Interface with ip Command”# Create bond interfacesudo ip link add bond0 type bond mode 802.3ad
# Or for active-backupsudo ip link add bond0 type bond mode active-backup
# Configure bond optionssudo ip link set bond0 type bond miimon 100 # MII monitoring (100ms)sudo ip link set bond0 type bond lacp_rate fast # LACP ratesudo ip link set bond0 type bond xmit_hash_policy layer2+3 # Hash policy
# Add slave interfacessudo ip link set eth0 master bond0sudo ip link set eth1 master bond0
# Bring up bond interfacesudo ip link set bond0 up
# Configure IP addresssudo ip addr add 192.168.1.10/24 dev bond0
# Verify bond statuscat /proc/net/bonding/bond0
# Remove slavesudo ip link set eth0 nomaster
# Delete bondsudo ip link delete bond0Configuring Bond via /etc/network/interfaces (Debian/Ubuntu)
Section titled “Configuring Bond via /etc/network/interfaces (Debian/Ubuntu)”# Bond configurationauto bond0iface bond0 inet static address 192.168.1.10 netmask 255.255.255.0 gateway 192.168.1.1 bond-mode 802.3ad bond-miimon 100 bond-lacp-rate fast bond-slaves eth0 eth1
# Or with DHCPauto bond0iface bond0 inet dhcp bond-mode active-backup bond-miimon 100 bond-slaves eth0 eth1Configuring Bond via Network Scripts (RHEL/CentOS)
Section titled “Configuring Bond via Network Scripts (RHEL/CentOS)”DEVICE=bond0NAME=bond0TYPE=BondBONDING_MASTER=yesIPADDR=192.168.1.10NETMASK=255.255.255.0GATEWAY=192.168.1.1ONBOOT=yesBOOTPROTO=noneBONDING_OPTS="mode=4 miimon=100 lacp_rate=fast xmit_hash_policy=layer2+3"
# /etc/sysconfig/network-scripts/ifcfg-eth0DEVICE=eth0NAME=eth0TYPE=EthernetBOOTPROTO=noneONBOOT=yesMASTER=bond0SLAVE=yes
# /etc/sysconfig/network-scripts/ifcfg-eth1DEVICE=eth1NAME=eth1TYPE=EthernetBOOTPROTO=noneONBOOT=yesMASTER=bond0SLAVE=yes
# Restart networksudo systemctl restart networkBonding Options
Section titled “Bonding Options” Bonding Module Options+------------------------------------------------------------------+| || Option | Description | Default || --------------------|--------------------------------|---------|| miimon | MII link monitoring interval | 0 || updelay | Delay before link up | 0 || downdelay | Delay before link down | 0 || mode | Bonding mode (0-6) | 0 || xmit_hash_policy | Traffic distribution policy | layer2 || lacp_rate | LACP rate (slow/fast) | slow || max_bonds | Maximum bond devices | 1 || primary | Primary slave for mode 1 | none || fail_over_mac | MAC on failover (active-backup)| none || || xmit_hash_policy options: || +----------------------------------------------------------+ || | layer2 | XOR of source/dest MAC | || | layer2+3 | XOR of MAC + IP (recommended) | || | layer3+4 | XOR of IP + Port | || +----------------------------------------------------------+ || || miimon: 100ms recommended for most environments || |+------------------------------------------------------------------+25.2 Network Bridging
Section titled “25.2 Network Bridging”Understanding Network Bridges
Section titled “Understanding Network Bridges”A network bridge connects multiple network segments at layer 2 (Data Link Layer). It’s commonly used in virtualization, containers, and network segmentation.
Network Bridging Architecture+------------------------------------------------------------------+| || Bridge (br0) || +------------------------------------------------------------+ || | Layer 2 Switch | || | | || | +--------+ +--------+ +--------+ +--------+ | || | | eth0 | | eth1 | | veth0 | | veth1 | | || | | (port) | | (port) | | (port) | | (port) | | || | +--------+ +--------+ +--------+ +--------+ | || | | || | IP: 192.168.1.1/24 | || +------------------------------------------------------------+ || | || v || +------------------------------------------------------------+ || | Connected to physical network | || +------------------------------------------------------------+ || || Use Cases: || +----------------------------------------------------------+ || | • KVM/QEMU virtualization | || | • Docker bridge networks | || | • Network segmentation | || | • Bridging physical and virtual networks | || +----------------------------------------------------------+ || |+------------------------------------------------------------------+Creating Bridge with ip Command
Section titled “Creating Bridge with ip Command”# Create bridge interfacesudo ip link add br0 type bridge
# Or with STP enabledsudo ip link add br0 type bridge stp_state 1 forward_delay 2
# Add interfaces to bridgesudo ip link set eth0 master br0sudo ip link set eth1 master br0sudo ip link set veth0 master br0
# Configure IP on bridgesudo ip addr add 192.168.1.1/24 dev br0
# Bring up bridgesudo ip link set br0 up
# Verifyip link showbridge link showbridge -d link show
# Remove interface from bridgesudo ip link set eth0 nomaster
# Delete bridgesudo ip link delete br0Bridge with NetworkManager
Section titled “Bridge with NetworkManager”# Create bridge using nmclinmcli con add type bridge ifname br0 con-name br0nmcli con add type bridge-slave ifname eth0 master br0
# Configure IPnmcli con modify br0 ipv4.addresses 192.168.1.1/24nmcli con modify br0 ipv4.method manual
# Activatenmcli con up br0
# View bridgenmcli dev show br0bridge -d link showBridge for KVM Virtualization
Section titled “Bridge for KVM Virtualization”# Create bridge for KVMDEVICE=br0NAME=br0TYPE=BridgeIPADDR=192.168.1.1NETMASK=255.255.255.0ONBOOT=yesBOOTPROTO=none
# Physical interface (remove IP)# /etc/sysconfig/network-scripts/ifcfg-eth0DEVICE=eth0NAME=eth0TYPE=EthernetONBOOT=yesBOOTPROTO=noneBRIDGE=br0
# Restart networksudo systemctl restart network
# Verifybrctl showip addr show br0Bridge Options
Section titled “Bridge Options” Bridge Options+------------------------------------------------------------------+| || Option | Description || --------------------|-------------------------------------------|| bridge-name | Bridge interface name || aging_time | MAC address table aging time || forward_delay | Time in forwarding state before learning|| hello_time | Hello packet interval || max_age | Max message age for topology || stp_state | STP enabled (1) or disabled (0) || priority | Bridge priority for STP || port_priority | Port priority for STP || path_cost | Port path cost for STP || || Common configurations: || +----------------------------------------------------------+ || | # With STP (for networks with loops) | || | ip link add br0 type bridge stp_state 1 forward_delay 2 | || | | || | # Without STP (simple bridge) | || | ip link add br0 type bridge stp_state 0 | || +----------------------------------------------------------+ || |+------------------------------------------------------------------+25.3 VLANs (Virtual Local Area Networks)
Section titled “25.3 VLANs (Virtual Local Area Networks)”Understanding VLANs
Section titled “Understanding VLANs”VLANs allow you to segment a network at Layer 2. Each VLAN is identified by a 12-bit VLAN ID (1-4094). Traffic between VLANs requires Layer 3 routing.
VLAN Architecture+------------------------------------------------------------------+| || Physical Switch || +------------------------------------------------------------+ || | | || | +--------+ +--------+ +--------+ +--------+ | || | | VLAN 10| | VLAN 20| | VLAN 30| | VLAN 40| | || | | (Mgmt) | | (Data) | | (Voice)| | (Guest)| | || | +--------+ +--------+ +--------+ +--------+ | || | | | | | | || +-------+----------+----------+----------+--------------------+ || | || v || +------------------------------------------------------------+ || | Linux with VLANs | || | | || | +-----------+ +-----------+ +-----------+ | || | | eth0.10 | | eth0.20 | | eth0.30 | | || | | 10.0.10.x | | 10.0.20.x | | 10.0.30.x | | || | +-----------+ +-----------+ +-----------+ | || | | || | Parent: eth0 (trunk) | || +------------------------------------------------------------+ || || VLAN Tagging (802.1Q): || +----------------------------------------------------------+ || | • Adds 4-byte tag to Ethernet frame | || | • Tag contains VLAN ID (12 bits) | || | • Switch port must be in trunk mode | || +----------------------------------------------------------+ || |+------------------------------------------------------------------+Creating VLAN Interfaces
Section titled “Creating VLAN Interfaces”# Create VLAN interface using ipsudo ip link add link eth0 name eth0.100 type vlan id 100
# Configure IPsudo ip addr add 10.0.100.1/24 dev eth0.100
# Bring upsudo ip link set eth0.100 up
# Or use vlan packagesudo apt install vlansudo vconfig add eth0 100sudo ip addr add 10.0.100.1/24 dev eth0.100sudo ip link set eth0.100 up
# View VLAN interfacesip -d link showcat /proc/net/vlan/config
# Remove VLANsudo ip link delete eth0.100VLAN with /etc/network/interfaces
Section titled “VLAN with /etc/network/interfaces”# Physical interface (trunk port)auto eth0iface eth0 inet manual up ip link set eth0 up down ip link set eth0 down
# VLAN 10auto eth0.10iface eth0.10 inet static address 10.0.10.10 netmask 255.255.255.0 vlan-raw-device eth0
# VLAN 20auto eth0.20iface eth0.20 inet static address 10.0.20.10 netmask 255.255.255.0 vlan-raw-device eth0VLAN with NetworkManager
Section titled “VLAN with NetworkManager”# Create VLAN using nmclinmcli con add type vlan ifname eth0.100 dev eth0 id 100
# Configure IPnmcli con modify vlan-eth0.100 ipv4.addresses 10.0.100.10/24nmcli con modify vlan-eth0.100 ipv4.method manual
# Activatenmcli con up vlan-eth0.100
# View VLANsnmcli device showQinQ (VLAN Stacking)
Section titled “QinQ (VLAN Stacking)”# QinQ - Double tagging for service provider VLANssudo ip link add link eth0 name eth0.100.200 type vlan id 200 proto 802.1ad
# Or use vconfigsudo vconfig set_flag eth0.100 1 1 # Enable QinQsudo vconfig add eth0.100 200
# QinQ configuration# Inner VLAN: 100# Outer VLAN: 20025.4 Network Namespaces
Section titled “25.4 Network Namespaces”Understanding Network Namespaces
Section titled “Understanding Network Namespaces”Network namespaces provide isolated network stacks. Each namespace has its own network interfaces, routing tables, and iptables rules.
Network Namespaces+------------------------------------------------------------------+| || Host Network Stack || +------------------------------------------------------------+ || | eth0 | lo | eth1 | routes | iptables | ARP table | || +------------------------------------------------------------+ || | || v || +------------------+ +------------------+ || | ns-default | | ns-custom | || +------------------+ +------------------+ || | veth-a | | veth-b | || | lo | | lo | || | routes | | routes | || | iptables | | iptables | || +------------------+ +------------------+ || | || v || +------------------+ +------------------+ || | ns-frontend | | ns-backend | || +------------------+ +------------------+ || | veth-c | | veth-d | || | lo | | lo | || +------------------+ +------------------+ || || Use Cases: || +----------------------------------------------------------+ || | • Container isolation (Docker, LXC) | || | • VPN isolation | || | • Network testing | || | • Multi-tenant environments | || +----------------------------------------------------------+ || |+------------------------------------------------------------------+Creating and Managing Namespaces
Section titled “Creating and Managing Namespaces”# Create namespacesudo ip netns add frontend
# List namespacesip netns list
# Execute command in namespaceip netns exec frontend ip linkip netns exec frontend ip addr
# Add interface to namespace# First create veth pairsudo ip link add veth0 type veth peer name veth1
# Move one end to namespacesudo ip link set veth1 netns frontend
# Configure in namespacesudo ip netns exec frontend ip addr add 10.0.0.1/24 dev veth1sudo ip netns exec frontend ip link set veth1 up
# Delete namespacesudo ip netns delete frontend
# Run shell in namespacesudo ip netns exec frontend /bin/bashConnecting Namespaces with Bridge
Section titled “Connecting Namespaces with Bridge”# Create bridgesudo ip link add br0 type bridge
# Create veth pairs for each namespacesudo ip link add veth0 type veth peer name veth0nssudo ip link add veth1 type veth peer name veth1ns
# Move one end to namespacessudo ip link set veth0ns netns ns1sudo ip link set veth1ns netns ns2
# Add bridge portssudo ip link set veth0 master br0sudo ip link set veth1 master br0
# Configure IPs and bring upsudo ip addr add 10.0.1.1/24 dev veth0sudo ip netns exec ns1 ip addr add 10.0.1.2/24 dev veth0ns
sudo ip addr add 10.0.1.3/24 dev veth1sudo ip netns exec ns2 ip addr add 10.0.1.4/24 dev veth1ns
# Bring up everythingsudo ip link set br0 upsudo ip link set veth0 upsudo ip link set veth1 upsudo ip netns exec ns1 ip link set veth0ns upsudo ip netns exec ns2 ip link set veth1ns up
# Enable forwarding in namespaces for routingsudo ip netns exec ns1 sysctl -w net.ipv4.ip_forward=125.5 Virtual Ethernet (veth) Pairs
Section titled “25.5 Virtual Ethernet (veth) Pairs”Understanding veth
Section titled “Understanding veth”veth pairs are virtual Ethernet cables that connect two network namespaces. They’re the building blocks for container networking.
veth Pair Architecture+------------------------------------------------------------------+| || +------------------+ +------------------+ || | Namespace A | | Namespace B | || | | | | || | +----------+ | | +----------+ | || | | veth-A |==+==========+ | veth-B | | || | +----------+ | | +----------+ | || | | | | | | || +---------|--------+ +---------|---------+ || v v || +------------------+ +------------------+ || | Host Kernel | | Host Kernel | || +------------------+ +------------------+ || || Traffic flows: veth-A ←→ veth-B || |+------------------------------------------------------------------+Creating and Using veth Pairs
Section titled “Creating and Using veth Pairs”# Create veth pairsudo ip link add veth0 type veth peer name veth1
# Configure each endsudo ip addr add 10.0.0.1/24 dev veth0sudo ip addr add 10.0.0.2/24 dev veth1
# Bring upsudo ip link set veth0 upsudo ip link set veth1 up
# Move one end to namespace (see above)
# Checkip link showip addr show veth0
# Delete veth pairsudo ip link delete veth025.6 Tunneling
Section titled “25.6 Tunneling”IP Tunnels
Section titled “IP Tunnels”# GRE Tunnel# On endpoint Asudo ip tunnel add gre0 mode gre remote 192.168.1.2 local 192.168.1.1sudo ip addr add 10.0.0.1/30 dev gre0sudo ip link set gre0 up
# On endpoint Bsudo ip tunnel add gre0 mode gre remote 192.168.1.1 local 192.168.1.2sudo ip addr add 10.0.0.2/30 dev gre0sudo ip link set gre0 up
# Verifyip tunnel showping 10.0.0.2
# IPIP Tunnel (simpler)sudo ip tunnel add tun0 mode ipip remote 192.168.1.2 local 192.168.1.1sudo ip addr add 10.0.0.1/30 dev tun0sudo ip link set tun0 up
# VXLAN (Layer 2 over Layer 3)sudo ip link add vxlan0 type vxlan id 100 remote 192.168.1.2 \ dstport 4789 local 192.168.1.1sudo ip addr add 10.0.100.1/24 dev vxlan0sudo ip link set vxlan0 upWireGuard VPN
Section titled “WireGuard VPN”# Installsudo apt install wireguard
# Generate keyswg genkey | tee private.key | wg pubkey > public.key
# Server configuration# /etc/wireguard/wg0.conf[Interface]PrivateKey = <server-private-key>Address = 10.0.0.1/24ListenPort = 51820PostUp = iptables -A FORWARD -i %i -j ACCEPTPostUp = iptables -A FORWARD -o %i -j ACCEPTPostUp = iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
[Peer]PublicKey = <client-public-key>AllowedIPs = 10.0.0.2/32
# Client configuration[Interface]PrivateKey = <client-private-key>Address = 10.0.0.2/24
[Peer]PublicKey = <server-public-key>Endpoint = server.example.com:51820AllowedIPs = 0.0.0.0/0PersistentKeepalive = 25
# Enablesudo wg-quick up wg0sudo wg show25.7 Network Troubleshooting
Section titled “25.7 Network Troubleshooting”Advanced Troubleshooting
Section titled “Advanced Troubleshooting”# Check bond statuscat /proc/net/bonding/bond0
# Check bridgebridge link showbrctl showbridge -d link show
# Check VLANcat /proc/net/vlan/configip -d link show
# Check namespaceip netns listip netns exec <ns> ip addr
# Check vethip link show type vethethtool <interface>
# Packet forwardingcat /proc/sys/net/ipv4/ip_forwardsysctl net.ipv4.ip_forward
# Routing tableip route showip route get 8.8.8.8
# ARP tableip neigh showarp -a
# Conntrackconntrack -Lconntrack -L -p tcp --dport 80
# Network statisticsss -tunaplnetstat -i25.8 Interview Questions
Section titled “25.8 Interview Questions”Basic Questions
Section titled “Basic Questions”-
What is network bonding in Linux?
- Combining multiple network interfaces into one logical interface
-
What are the different bonding modes?
- 0 (round-robin), 1 (active-backup), 2 (XOR), 3 (broadcast), 4 (802.3ad/LACP), 5 (TLB), 6 (ALB)
-
What is a network bridge?
- Layer 2 device connecting network segments
-
What is a VLAN?
- Virtual LAN - network segmentation at Layer 2
-
What is 802.1Q?
- VLAN tagging standard
Intermediate Questions
Section titled “Intermediate Questions”-
What is the difference between mode 1 and mode 4 bonding?
- Mode 1: active-backup (one active at a time); Mode 4: LACP (dynamic aggregation)
-
What is STP and why is it used with bridges?
- Spanning Tree Protocol prevents loops in bridged networks
-
What are network namespaces used for?
- Isolating network stacks for containers, VPNs, testing
-
What is a veth pair?
- Virtual ethernet pair - two connected virtual interfaces
-
How do you configure VLANs in Linux?
- Using ip link add with type vlan, or vconfig
Advanced Questions
Section titled “Advanced Questions”-
Explain the difference between TLB and ALB bonding modes
- TLB: transmit load balancing only; ALB: includes receive load balancing
-
What is QinQ and when would you use it?
- Double VLAN tagging; used by service providers for VLAN translation
-
What is VXLAN and how does it work?
- Virtual Extensible LAN; MAC-in-UDP tunneling for Layer 2 over Layer 3
-
How do you debug network bonding issues?
- Check /proc/net/bonding/bond0, ethtool, switch configuration
-
What is the difference between bridging and routing?
- Bridging works at Layer 2, routing at Layer 3
Summary
Section titled “Summary” Quick Reference+------------------------------------------------------------------+| || Bonding: || +----------------------------------------------------------+ || | ip link add bond0 type bond mode 802.3ad | || | ip link set eth0 master bond0 | || | cat /proc/net/bonding/bond0 | || +----------------------------------------------------------+ || || Bridging: || +----------------------------------------------------------+ || | ip link add br0 type bridge | || | ip link set eth0 master br0 | || | brctl show | || +----------------------------------------------------------+ || || VLANs: || +----------------------------------------------------------+ || | ip link add link eth0 name eth0.100 type vlan id 100 | || | ip -d link show | || +----------------------------------------------------------+ || || Namespaces: || +----------------------------------------------------------+ || | ip netns add <name> | || | ip netns exec <name> <command> | || | ip link set <interface> netns <name> | || +----------------------------------------------------------+ || || veth: || +----------------------------------------------------------+ || | ip link add veth0 type veth peer name veth1 | || | ip link set veth1 netns <namespace> | || +----------------------------------------------------------+ || |+------------------------------------------------------------------+