Re: [Xen-users] XCP 1.1 Management VLAN

[Javier Frias <jfrias@xxxxxxxxx>]

On Fri, Nov 18, 2011 at 11:04 AM, Brett Westover <bwestover@xxxxxxxxxxx> wrote:
>
> >The  trick to have the management interface work on this setup is to have 
> >your
> >switch port configured with a native non-tagged vlan.  A slight security 
> >issue,
> >just make sure you restrict your vm's to only the tagged interfaces. There's
> >even an example on the manual for this. Hope this helps.
>
> >-Javier
>
> Thanks I'll try this. I am curious about the security issue though. What is 
> it?
>

IMHO, the security risks arise more from misconfiguration. Since you
want to make sure none of the non management vm's can access this
higher privilege vlan.


> My management vlan, is the highest security domain in the network. It can 
> reach any lower level security domain, but next to nothing can get INTO the 
> management vlan if it didn't start there.
>
> If I make that VLAN untagged on the switch port that XCP is plugged into, and 
> set the PVID (default vlan) to the same, then XCP can 'natively' be on that 
> vlan. Then I can also send tagged vlans to that same interface, so I can have 
> VMs using other vlans over the same interface. Is that right?
>

Sounds right. My case, I had a bond created, then vif's that were
tagged which I used for the non management vm's, and the management
vm's went right on the bond. See here:

http://docs.vmd.citrix.com/XenServer/5.6.0fp1/1.0/en_gb/reference.html#networking-concepts-vlans

In particular, sections:

7.2.4. Creating VLANs

7.2.5. Creating NIC bonds on a standalone host



>
> Finally, if I want to make a "management" VM, couldn't I just tie it to the 
> physical interface, instead of one of my VLANs, and then it would be on the 
> management VLAN as well? Would this work? Is there a security risk involved?

_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users