I got tired of the "spaghetti" that comes with creating a dozen separate br0.10, br0.20 interfaces on my KVM hosts. I also wanted to move away from Open vSwitch (OVS) complexity while still getting proper VLAN isolation for my VMs.
This repo is a reproducible pattern for using the VLAN-aware Linux bridge. It treats a Linux host like a managed switch: one bridge (br0) that handles all the tagging, filtering, and trunking directly in the kernel fast path.
The goal is operational clarity, no SDN overlays, no external switching daemons, just explicit architecture built on kernel primitives.
Architecture
- physical
eth0as an 802.1Q trunk - bridge
br0as a VLAN-aware Linux bridge (VLANFiltering=yes) - managment VLAN 90 routed on the host via
br0.90 - isolqtion of guest VMs connected to
br0with VLAN separation enforced on the host side (libvirt VLAN tags)
The complete architectural explanation and configuration walkthrough is here:
→ Complete Architecture Guide
- Declarative networking configuration (
/etc/systemd/network) you can track in Git - Reproducible host setup (install script)
- Clear verification steps (verification script)
- Easy to extend into Ansible/GitOps
docs/architecture.md— topology + responsibilities (L2 vs L3)docs/decisions.md— design tradeoffs & rationaledocs/writeup.md— full write-up and deep divedocs/verification.md— how to validate the setupsystemd-networkd/— config files to deploy on the hostlibvirt/— example VM NIC definitions (access VLAN and trunk)scripts/— install + verify helpers
⚠️ Networking changes can lock you out. Use console access or out-of-band management.
- Copy files into
/etc/systemd/network/(seescripts/install-networkd-config.sh) - Restart networkd:
sudo systemctl restart systemd-networkd- Verify
./scripts/verify.sh