WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 		  
Home Products Support Community News
 
   
 

xen-users

[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Xen-users] Secure VLANs

from [Simon Hobson] [Permanent Link][Original]
To: xen-users@xxxxxxxxxxxxxxxxxxx
Subject: Re: [Xen-users] Secure VLANs
From: Simon Hobson <linux@xxxxxxxxxxxxxxxx>
Date: Thu, 6 Jan 2011 12:56:46 +0000
Delivery-date: Thu, 06 Jan 2011 05:00:57 -0800
Envelope-to: www-data@xxxxxxxxxxxxxxxxxxx
In-reply-to: <4D25AF35.2040909@xxxxxxxxxxx>
List-help: <mailto:xen-users-request@lists.xensource.com?subject=help>
List-id: Xen user discussion <xen-users.lists.xensource.com>
List-post: <mailto:xen-users@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=unsubscribe>
References: <4D22FD70.4030307@xxxxxxxxxxx> <AANLkTinS28-aiPCVnP2909ai7veu_eT1hS8o8EJ6QC29@xxxxxxxxxxxxxx> <4D24E773.6060209@xxxxxxxxxxx> <AANLkTi==xYKQGJvEef4vJudsxEsJpnDdhCdzQeX-RrKe@xxxxxxxxxxxxxx> <4D24EEE6.2030108@xxxxxxxxxxx> <AANLkTinYvDb1CHRcD9m_N7DoR7wWUy7AJLU36rV0a-e8@xxxxxxxxxxxxxx> <4D250288.2000806@xxxxxxxxxxx> <AANLkTikAFhVOzYfqUhxRNHuEiTbZ4VA8-aGzeH7+qqos@xxxxxxxxxxxxxx> <AANLkTinLyWezAJrGVKMi94YLRaFm6FePYFYfCi+xVZbb@xxxxxxxxxxxxxx> <4D25AF35.2040909@xxxxxxxxxxx>
Sender: xen-users-bounces@xxxxxxxxxxxxxxxxxxx 
Jonathan Tripathy wrote:
If I were to connect my VLAN-aware fiirewall directly into the Dom0, what security consideration would I have to take into account? Would there even be a "native VLAN" in this case (since there is no switch)?
I don't think the lack of a switch would make any different - you still have (on each device) a default VLAN into which any untagged packets received will be placed. That's all the 'native VLAN' is.
In many (most, all ?) VLAN capable switches, VLAN 1 is automatically created, and all ports default to be members of VLAN1 and untagged. Similarly, the management processor is connected to VLAN1 and this often cannot be changed.
Hence the advice to avoid allowing VLAN1 on 'insecure' ports since that potentially gives customer/whoever access to the management processor on the switch.
So just don't give access to VLAN1 on your insecure ports, and set the default VLAN on these ports to something other than 1 if you have the port set to expect tagged packets. 


I'm not too certain how this combines with bridges under Linux though !

--
Simon Hobson

Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed
author Gladys Hobson. Novels - poetry - short stories - ideal as
Christmas stocking fillers. Some available as e-books.

_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [Xen-users] Secure VLANs, Jonathan Tripathy
Next by Date:  [SPAM] Re: [Xen-users] Xen installation, Tapas Mishra
Previous by Thread:  Re: [Xen-users] Secure VLANs, Jonathan Tripathy
Next by Thread:  Re: [Xen-users] Secure VLANs, Fajar A. Nugraha
Indexes:  [Date] [Thread] [Top] [All Lists]
 
   

Copyright , Citrix Systems Inc. All rights reserved. Legal and Privacy