Re: VLANs

[Jonathan Tripathy <jonnyt@abpni.co.uk>]

On 11/01/11 08:19, Thomas Berg wrote:
> mån 2011-01-10 klockan 22:15 +0000 skrev Jonathan Tripathy:
>> On 10/01/11 21:33, John Haxby wrote:
>>> On 10 Jan 2011, at 17:42, Jonathan Tripathy wrote:
>>>
>>>> I wish to use VLANs on my Linux Xen hosts to seperate managed customer networks.
>>>>
>>>> Can anybody please give me some pointers on how to make the network secure so no-one can VLAN hop?
>>>>
>>>> At the minute, I plan to set up one bridge per customer, and use linux vconfig to add an if to the bridge (which I believe strips all tags). Then, all the respective customer Xen DomU (VM) interfaces will connect to the bridge.
>>> If each bridge (for each customer) contains just one vlan-tagged physical interface then there is no way for the guests to vlan-hop.  A vlan tag added by a guest will either be replaced by the vlan tag of the external interface or the frame will be dropped.  If you have multiple vlans on a bridge (with multiple physical interfaces) then the vlan will be chosen by routing if the interfaces have their own addresses, I'm not sure what happens if the interfaces don't have addresses, but when a frame leaves on a vlan interface it acquires the corresponding vlan tag.  It doesn't matter what happens to the tag on the way back as it's only relevant to an interface that's on a vlan.
>>>
>>> Obviously you should test this, but it's all pretty straightforward and there's nothing special or complicated to set up.
>>>
>>> jch
>> Excellent! Thank you for your explanation.
>>
>> If a guest maliciously added a vlan tag, wouldn’t it still remain in the
>> frame, however be "double-tagged" by the outgoing physical port? Even
>> still though, this probably isn't an issue, provided that all upstream
>> switches are configured correctly.
>>
> There is an sencario where your customer can make a mess. If the outer
> vlan tag is the same as port vlan id aka native vlan on a dot1q enabled
> port it will remove the outer tag and forward the packet only with the
> inner tag wich was set by your customer.
>
> I should suggest that you only allow ipv4 and arp passing trough to/from
> your customer and drop any other frames including frames with vlan tag
> set and ethertype x8100.
Hi Thomas,

While I have made sure that my trunk ports do not have a native vlan 
associated with them, I still think it's a good idea to use ebtables to 
prevent tagging from the customers. What would the command be?

Thanks