[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-users] Secure VLANs

Jonathan Tripathy wrote:

If I were to connect my VLAN-aware fiirewall directly into the Dom0, what security consideration would I have to take into account? Would there even be a "native VLAN" in this case (since there is no switch)?

I don't think the lack of a switch would make any different - you still have (on each device) a default VLAN into which any untagged packets received will be placed. That's all the 'native VLAN' is.

In many (most, all ?) VLAN capable switches, VLAN 1 is automatically created, and all ports default to be members of VLAN1 and untagged. Similarly, the management processor is connected to VLAN1 and this often cannot be changed.

Hence the advice to avoid allowing VLAN1 on 'insecure' ports since that potentially gives customer/whoever access to the management processor on the switch.

So just don't give access to VLAN1 on your insecure ports, and set the default VLAN on these ports to something other than 1 if you have the port set to expect tagged packets.

I'm not too certain how this combines with bridges under Linux though !

Simon Hobson

Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed
author Gladys Hobson. Novels - poetry - short stories - ideal as
Christmas stocking fillers. Some available as e-books.

Xen-users mailing list



Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.