[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-users] Secure VLANs

On Wed, Jan 5, 2011 at 5:21 PM, Jonathan Tripathy <jonnyt@xxxxxxxxxxx> wrote:
> So in the context of Xen, given that a trunk port on the switch would
> connect to Dom0, all I have to make sure is that the DomUs arn't connected
> to a bridge in the Dom0 with a VLAN ID the same as the native VLAN ID of the
> switch trunk port?

On Linux, VLAN and bridge functionalities are separate things.

regarding VLANs:
you have your physical interface (eth0), and then add VLAN interfaces to it:

  vconfig add eth0 12

creates a new interface that you can see with ifconfig, probably
called vlan12.  traffic on this new interface will come out tagged via
eth0, and (if the rest of the network is ok), will be able to
communicate only with devices on VLAN 12.

so, in your startup scripts you should add all the vlan interfaces you
need, it will be just as if you had a lot of ethernet NICs

regarding bridges:
linux's sowftware bridges don't manage VLANs, it's not like physical
bridges where you have one bridge and configure each port.

so, what you do is create several bridges, one for each VLAN, and then
add only one vlan interface to each bridge.  for example, to prepare
for VLAN 12:

  vconfig add eth0 12
  brctl addbr br12
  brctl addif br12 vlan12

now you have a bridge called br12 that is connected to your external
VLAN 12 and nothing else.  then just add the DomU's interface to this
bridge if they need to connect to VLAN 12


Xen-users mailing list



Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.