On 10/01/11 21:33, John Haxby wrote:
On 10 Jan 2011, at 17:42, Jonathan Tripathy wrote:
I wish to use VLANs on my Linux Xen hosts to seperate managed customer networks.
Can anybody please give me some pointers on how to make the network secure so no-one can VLAN hop?
At the minute, I plan to set up one bridge per customer, and use linux vconfig to add an if to the bridge (which I believe strips all tags). Then, all the respective customer Xen DomU (VM) interfaces will connect to the bridge.
If each bridge (for each customer) contains just one vlan-tagged physical interface then there is no way for the guests to vlan-hop. A vlan tag added by a guest will either be replaced by the vlan tag of the external interface or the frame will be dropped. If you have multiple vlans on a bridge (with multiple physical interfaces) then the vlan will be chosen by routing if the interfaces have their own addresses, I'm not sure what happens if the interfaces don't have addresses, but when a frame leaves on a vlan interface it acquires the corresponding vlan tag. It doesn't matter what happens to the tag on the way back as it's only relevant to an interface that's on a vlan.
Obviously you should test this, but it's all pretty straightforward and there's nothing special or complicated to set up.
jch
Excellent! Thank you for your explanation.
If a guest maliciously added a vlan tag, wouldn’t it still remain in the
frame, however be "double-tagged" by the outgoing physical port? Even
still though, this probably isn't an issue, provided that all upstream
switches are configured correctly.
In the first instance though, my Xen host will connect directly to my
vlan-aware firewall port
Please let me know if I've got this wrong somewhere...
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
