WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 		  
Home Products Support Community News
 
   
 

xen-users

[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Xen-users] Secure VLANs

from [Jonathan Tripathy] [Permanent Link][Original]
To: Javier Guerra Giraldez <javier@xxxxxxxxxxx>
Subject: Re: [Xen-users] Secure VLANs
From: Jonathan Tripathy <jonnyt@xxxxxxxxxxx>
Date: Wed, 05 Jan 2011 23:45:12 +0000
Cc: Xen-users@xxxxxxxxxxxxxxxxxxx, "Fajar A. Nugraha" <list@xxxxxxxxx>
Delivery-date: Wed, 05 Jan 2011 15:46:32 -0800
Envelope-to: www-data@xxxxxxxxxxxxxxxxxxx
In-reply-to: <AANLkTinYvDb1CHRcD9m_N7DoR7wWUy7AJLU36rV0a-e8@xxxxxxxxxxxxxx>
List-help: <mailto:xen-users-request@lists.xensource.com?subject=help>
List-id: Xen user discussion <xen-users.lists.xensource.com>
List-post: <mailto:xen-users@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=unsubscribe>
References: <4D22FD70.4030307@xxxxxxxxxxx> <AANLkTinS28-aiPCVnP2909ai7veu_eT1hS8o8EJ6QC29@xxxxxxxxxxxxxx> <4D24E773.6060209@xxxxxxxxxxx> <AANLkTi==xYKQGJvEef4vJudsxEsJpnDdhCdzQeX-RrKe@xxxxxxxxxxxxxx> <4D24EEE6.2030108@xxxxxxxxxxx> <AANLkTinYvDb1CHRcD9m_N7DoR7wWUy7AJLU36rV0a-e8@xxxxxxxxxxxxxx>
Sender: xen-users-bounces@xxxxxxxxxxxxxxxxxxx
User-agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.12) Gecko/20101027 Thunderbird/3.1.6 

On 05/01/11 22:48, Javier Guerra Giraldez wrote:

On Wed, Jan 5, 2011 at 5:21 PM, Jonathan Tripathy<jonnyt@xxxxxxxxxxx>  wrote:

So in the context of Xen, given that a trunk port on the switch would
connect to Dom0, all I have to make sure is that the DomUs arn't connected
to a bridge in the Dom0 with a VLAN ID the same as the native VLAN ID of the
switch trunk port?

On Linux, VLAN and bridge functionalities are separate things.

regarding VLANs:
you have your physical interface (eth0), and then add VLAN interfaces to it:

   vconfig add eth0 12

creates a new interface that you can see with ifconfig, probably
called vlan12.  traffic on this new interface will come out tagged via
eth0, and (if the rest of the network is ok), will be able to
communicate only with devices on VLAN 12.

so, in your startup scripts you should add all the vlan interfaces you
need, it will be just as if you had a lot of ethernet NICs


regarding bridges:
linux's sowftware bridges don't manage VLANs, it's not like physical
bridges where you have one bridge and configure each port.

so, what you do is create several bridges, one for each VLAN, and then
add only one vlan interface to each bridge.  for example, to prepare
for VLAN 12:

   vconfig add eth0 12
   brctl addbr br12
   brctl addif br12 vlan12

now you have a bridge called br12 that is connected to your external
VLAN 12 and nothing else.  then just add the DomU's interface to this
bridge if they need to connect to VLAN 12

Hi Javier,

Thank you for the info. I think this has cleared up my confusion.
So, it is the linux vconfig utility that strips all vlan tags coming into the Dom0 and conversely, tags traffic coming out?
And provided that on my trunk lines (i.e. switch to Dom0, switch to switch and VLAN-aware firewall to switch) I either disable native VLAN (PVID) *or* make sure that the native VLAN ID on the trunk ports are not the same as any customer VLAN ID, then VLAN hopping can't occur? 

Thanks

_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  [Xen-users] Xen Netloop module missing, Virajith Jalaparti
Next by Date:  Re: [Xen-users] Xen Netloop module missing, Mark Pryor
Previous by Thread:  Re: [Xen-users] Secure VLANs, Javier Guerra Giraldez
Next by Thread:  Re: [Xen-users] Secure VLANs, Javier Guerra Giraldez
Indexes:  [Date] [Thread] [Top] [All Lists]
 
   

Copyright , Citrix Systems Inc. All rights reserved. Legal and Privacy