WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 
 
Home Products Support Community News
 
   
 

xen-users

Re: [Xen-users] Secure VLANs

Jonathan Tripathy wrote:

If I were to connect my VLAN-aware fiirewall directly into the Dom0, what security consideration would I have to take into account? Would there even be a "native VLAN" in this case (since there is no switch)?

I don't think the lack of a switch would make any different - you still have (on each device) a default VLAN into which any untagged packets received will be placed. That's all the 'native VLAN' is.


In many (most, all ?) VLAN capable switches, VLAN 1 is automatically created, and all ports default to be members of VLAN1 and untagged. Similarly, the management processor is connected to VLAN1 and this often cannot be changed.

Hence the advice to avoid allowing VLAN1 on 'insecure' ports since that potentially gives customer/whoever access to the management processor on the switch.

So just don't give access to VLAN1 on your insecure ports, and set the default VLAN on these ports to something other than 1 if you have the port set to expect tagged packets.


I'm not too certain how this combines with bridges under Linux though !

--
Simon Hobson

Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed
author Gladys Hobson. Novels - poetry - short stories - ideal as
Christmas stocking fillers. Some available as e-books.

_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users

<Prev in Thread] Current Thread [Next in Thread>