Interactive VLAN configuration is done with the vconfig program. The basic usage is 'vconfig add eth0 6'; this makes a new Ethernet device called eth0.6 (by default; vconfig can change this, but you probably don't want to). 'vconfig rem eth0.6' will then remove the VLAN.

A configured VLAN is up enough so that you can receive traffic on it. If all you're interested in is doing things like bridging virtual machines onto the VLAN's network, you don't need to do anything more at the host level; otherwise, you're going to need to give the VLAN interface an IP address somehow. I don't recommend using DHCP, because as far as I know there's no way to tell the Fedora DHCP clients to not helpfully rewrite your /etc/resolv.conf for the new network.

(Really what one wants is a 'shut up and get me an IP address, JUST an IP address, no routes, no nothing' option for some DHCP client. But this is kind of an obscure thing, so I can understand why it's not there.)

For permanent configuration, you can create ifcfg scripts in /etc/sysconfig/network-scripts. The minimum contents are:

DEVICE=eth0.6
VLAN=yes
ONBOOT=yes

(You can say 'ONBOOT=no' if you really want to; I suppose 'ifup whatever' is marginally less typing than doing the vconfig by hand.)

The 'VLAN=yes' bit is the important magic. With this, Fedora cracks open the device name to conclude that this is VLAN ID 6 on eth0, and sets it up appropriately (yet another reason not to try to change vconfig's VLAN name format). Fedora is perfectly willing to bring up VLANs that have no assigned IP address, and this is how I have mine set up. I name my VLAN ifcfg files things like 'ifcfg-vlan6', but I believe this name format is not required.

There's an alternate format for the VLAN ID and base device information:

DEVICE=vlan6
PHYSDEV=eth0
VLAN=yes
ONBOOT=yes

(For VLAN ID 6 on eth0 again.)

As far as I can see, you still get a device called 'eth0.6' out of this, not one called 'vlan6'.

Fedora's tcpdump understands VLANs and so can be used to dump the traffic on eth0 so you can see what VLANs are actually reaching your machine. However, just to confuse you, it will not print the VLAN ID information unless you ask it for link-level headers with -e. (Although it will happily receive and dump the packets, which can be really confusing; you need to remember to ask for 'not vlan and ...' if you want to see just the untagged base traffic on your link.)

Because VLAN devices are regular Ethernet devices, you can use tcpdump on them to see just traffic for that particular VLAN. This traffic is naturally already detagged.

(This is the kind of entry I write so that I have all of this information in one place the next time I need it.)