How do you setup your vlan interfaces on a VM server?

R

Red Squirrel

[H]F Junkie
Joined
Nov 29, 2009
Messages
9,211
Currently my VM server is Linux and the way I have my vlans setup is simply multiple interfaces like eth0.2 eth0.3 etc... for vlan2, vlan3.

The issue with this is security, I don't want the server to be accessible in any way shape or form from any of these vlans, except for the main one. I stopped it from getting an ipv4 IP but it still gets a link local ipv6 IP. I'm also not aware of any other protocols that may potentially be able to access the server through these.

How do I set these up in a way where they have zero protocol/communication capability except for vlan? Ex: only to bridge VMs to.
 
Which linux?

IPV6_INIT="no" in the network-scripts/ifcfg-* for the vlan interfaces on a RH based distro will stop it getting the IPV6 address.
 
I read that but it does not work. I still get an ipv6 address.

Code: 
[root@borg network-scripts]# cat ifcfg-eth0.3
VLAN=yes
DEVICE=eth0.3
BOOTPROTO=none
ONBOOT=yes
TYPE=Ethernet
#IPADDR=10.1.1.11
#NETMASK=255.255.0.0

IPV6INIT=no
IPV6_AUTOCONF=no

[root@borg network-scripts]# ifconfig eth0.3
eth0.3    Link encap:Ethernet  HWaddr 00:1C:C0:41:8F:97
          inet6 addr: fe80::21c:c0ff:fe41:8f97/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:38445 errors:0 dropped:0 overruns:0 frame:0
          TX packets:19936 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:47403100 (45.2 MiB)  TX bytes:1474326 (1.4 MiB)

[root@borg network-scripts]#

though I see you have an underscore. What I read online had none. Either way it's not working though.

Using Fedora Core 9. Yeah I know it's old but I can't afford this box to be down (hard drives usually fail if it goes down) so I'm waiting till I can afford to build a new one.
 
You do realize that IPv6 fe80 address is a link-local address? If you know that and just wanting to stop the IPv6 then just change from /64 to /128.
 
I know nothing about ipv6, is it safe to have the link local? Ex: if a machine on one of those vlans has a link local too can it communicate with the server? I want the vlans to have absolutely no way to talk with the server.
 
The fe80 address is the same thing as 169.254.x.x. This means that when the computer booted up there was no DHCP server so it assigned itself the fe80 address.

By default, computers in different VLAN's cannot communicate unless you open the ports or add in a route in the route table. If you give the computer a IPv6 /128 address then that computer will be the only computer in that subnet.
 
Oh ok so no need to worry then? What if another computer or VM on the same vlan assigns itself an IP though?
 
If you are that concern then don't put any computers on that VLAN. The only thing that will contact that computer will be anything outside it's gateway.

The only 100% sure way is to add a Access Control List that says no inside traffic IP address will contact that server IP.
 
Well the whole point is so I can put vms on different vlans. For example I have a "risky" network that has a honeypot VM (experiment, unrelated to anything) I want completely secluded from my network, it is bridged to that interface. But since the host server advertises that interface the VM could possibly talk directly to the VM server. That's what I'm trying to prevent. I want the interface to be there so I can bridge VMs to it, but I don't want it to actually communicate directly. I hope I'm being clear.

I just want these interfaces to be "dummy" and not handle any protocols other than just plain ethernet so I can bridge VMs to them.
 
That's why it's always recommended to have a seperate NIC only for management and use a different NIC for the VMs to communicate out on.
 
Not sure how that would change anything though, the virtual interfaces of that nic are still going to get a link local ipv6 IP, so if any VM on that same vlan also gets a link local it can then talk to the server, which is what I'm trying to prevent. The server needs to be invisible to everything but 1 vlan. Idealy I did want to have a separate nic for management but there's no more room in that server.

How does vmware and other higher end hypervisors manage vlans?

I suppose another option is to install ipv6 version of iptables and just block everything? That also gives me the possibility of unblocking anything I do want to allow. Can iptables block by interface? Idealy I want to do the same for TCP/UDP and ICMP to play it safe and block everything for all vlans but the main one.
 
I was experimenting, so on one of the vlans I enabled ipv6 in windows and tried to ping the link local address of the host server (for the same vlan interface) and I just get an error no route to host. So are these not routable anyway? Maybe I AM worrying for nothing after all. Or is that just because the default gateway is the firewall, though guess default gateway does not matter when it's on the same broadcast domain.
 
Your VMs should NEVER be on the same VLAN as your management interfaces/devices.
 
/usr/home said:
Your VMs should NEVER be on the same VLAN as your management interfaces/devices.
Click to expand...

Ok, maybe you need a diagram....




Vlan 2 is the management vlan, the server has an IP on that interface, that is fine. The other vlan interfaces I do not want them to have an IP, but they HAVE to be there, the whole point is so I can bridge VMs to them and put those VMs on the various vlans. But the issue is the interfaces are getting an IPv6 IP on the host, I don't want them to be accessible at all. I only want them to work at layer 2, they are only so I can bridge VMs to them.

Guess I'll just put ipv6tables on the server and block everything. I just figured there would be a simple flag or something I can put on the vlan interfaces to force them to only operate at layer 2 or something.
 
Last edited:
If you are not using IPv6 on your host machine ( the one that is the vm server ) then just uncheck it and it will turn-off IPv6 from vm machines.
 
ElvisG said:
If you are not using IPv6 on your host machine ( the one that is the vm server ) then just uncheck it and it will turn-off IPv6 from vm machines.
Click to expand...

That's what I'm trying to do, just not sure how.

I figured

IPV6INIT=no
IPV6_AUTOCONF=no

For each interface Would do it, but it's still not disabling it.

How are vlan interfaces on VM hosts normally managed? I have a feeling I'm missing a simple step here.
 
Red Squirrel said:
That's what I'm trying to do, just not sure how.
Click to expand...

1. Click the arrow next to the Inventory button in the navigation bar and select Hosts and Clusters.
2. Select the host and click the Configuration tab.
3. Click the Networking link under Hardware.
4. In the Virtual Switch view, click the Properties link. (Hint: It's the far right hyperlink on that page.)
5. Select Disable IPv6 support on this host and click OK.
6. Reboot the host.
 
Last edited:
peanuthead said:
1. Click the arrow next to the Inventory button in the navigation bar and select Hosts and Clusters.
2. Select the host and click the Configuration tab.
3. Click the Networking link under Hardware.
4. In the Virtual Switch view, click the Properties link.
5. Select Disable IPv6 support on this host and click OK.
6. Reboot the host.
Click to expand...

No GUI on this server. Just console. This is Linux.
 
where do I put that? That link seems to offer "per app" solutions while some of the paths don't exist on my system (usually my luck when it comes to Linux tutorials). So is there not a way to do it at the interface level? I just want the interface to be "dummy" and not pass any traffic to the host, but still pass the bridged traffic when I bridge a VM to it. I would have figured this would be much simpler to do.

I guess if its really not possible I'll just block ipv6 through iptables. This gives me the option to selectively use it if I do decide I want to use it.
 
You must log in or register to reply here.
Back
Top