Xen project Mailing List

Re: [Xen-users] Secure VLANs

To: Javier Guerra Giraldez <javier@xxxxxxxxxxx>

From: Jonathan Tripathy <jonnyt@xxxxxxxxxxx>

Date: Wed, 05 Jan 2011 23:45:12 +0000

Cc: Xen-users@xxxxxxxxxxxxxxxxxxx, "Fajar A. Nugraha" <list@xxxxxxxxx>

Delivery-date: Wed, 05 Jan 2011 15:46:32 -0800

List-id: Xen user discussion <xen-users.lists.xensource.com>

On 05/01/11 22:48, Javier Guerra Giraldez wrote:

On Wed, Jan 5, 2011 at 5:21 PM, Jonathan Tripathy<jonnyt@xxxxxxxxxxx>  wrote:

So in the context of Xen, given that a trunk port on the switch would
connect to Dom0, all I have to make sure is that the DomUs arn't connected
to a bridge in the Dom0 with a VLAN ID the same as the native VLAN ID of the
switch trunk port?

On Linux, VLAN and bridge functionalities are separate things.

regarding VLANs:
you have your physical interface (eth0), and then add VLAN interfaces to it:

   vconfig add eth0 12

creates a new interface that you can see with ifconfig, probably
called vlan12.  traffic on this new interface will come out tagged via
eth0, and (if the rest of the network is ok), will be able to
communicate only with devices on VLAN 12.

so, in your startup scripts you should add all the vlan interfaces you
need, it will be just as if you had a lot of ethernet NICs


regarding bridges:
linux's sowftware bridges don't manage VLANs, it's not like physical
bridges where you have one bridge and configure each port.

so, what you do is create several bridges, one for each VLAN, and then
add only one vlan interface to each bridge.  for example, to prepare
for VLAN 12:

   vconfig add eth0 12
   brctl addbr br12
   brctl addif br12 vlan12

now you have a bridge called br12 that is connected to your external
VLAN 12 and nothing else.  then just add the DomU's interface to this
bridge if they need to connect to VLAN 12

Hi Javier, Thank you for the info. I think this has cleared up my confusion.

So, it is the linux vconfig utility that strips all vlan tags coming

into the Dom0 and conversely, tags traffic coming out?

And provided that on my trunk lines (i.e. switch to Dom0, switch to

switch and VLAN-aware firewall to switch) I either disable native VLAN

(PVID) *or* make sure that the native VLAN ID on the trunk ports are not

the same as any customer VLAN ID, then VLAN hopping can't occur?

Thanks _______________________________________________ Xen-users mailing list Xen-users@xxxxxxxxxxxxxxxxxxx http://lists.xensource.com/xen-users

Follow-Ups:

Re: [Xen-users] Secure VLANs
- From: Javier Guerra Giraldez

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.