[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-users] Secure VLANs

On 05/01/11 22:48, Javier Guerra Giraldez wrote:
On Wed, Jan 5, 2011 at 5:21 PM, Jonathan Tripathy<jonnyt@xxxxxxxxxxx>  wrote:
So in the context of Xen, given that a trunk port on the switch would
connect to Dom0, all I have to make sure is that the DomUs arn't connected
to a bridge in the Dom0 with a VLAN ID the same as the native VLAN ID of the
switch trunk port?
On Linux, VLAN and bridge functionalities are separate things.

regarding VLANs:
you have your physical interface (eth0), and then add VLAN interfaces to it:

   vconfig add eth0 12

creates a new interface that you can see with ifconfig, probably
called vlan12.  traffic on this new interface will come out tagged via
eth0, and (if the rest of the network is ok), will be able to
communicate only with devices on VLAN 12.

so, in your startup scripts you should add all the vlan interfaces you
need, it will be just as if you had a lot of ethernet NICs

regarding bridges:
linux's sowftware bridges don't manage VLANs, it's not like physical
bridges where you have one bridge and configure each port.

so, what you do is create several bridges, one for each VLAN, and then
add only one vlan interface to each bridge.  for example, to prepare
for VLAN 12:

   vconfig add eth0 12
   brctl addbr br12
   brctl addif br12 vlan12

now you have a bridge called br12 that is connected to your external
VLAN 12 and nothing else.  then just add the DomU's interface to this
bridge if they need to connect to VLAN 12
Hi Javier,

Thank you for the info. I think this has cleared up my confusion.

So, it is the linux vconfig utility that strips all vlan tags coming into the Dom0 and conversely, tags traffic coming out?

And provided that on my trunk lines (i.e. switch to Dom0, switch to switch and VLAN-aware firewall to switch) I either disable native VLAN (PVID) *or* make sure that the native VLAN ID on the trunk ports are not the same as any customer VLAN ID, then VLAN hopping can't occur?


Xen-users mailing list



Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.