Using vlans on a server, security issue?

[Red Squirrel]

Now that I have a managed switch one of the nice things is the ability to have vlans. One thing I'd like to do is be able to have VMs on my server that are part of different Vlans. The issue is I only have one network jack on the server and all the slots are used up by the sata controllers. So what if I was to set the server's port as a trunk and configure the vlan interfaces on the server?

Is there security issues with doing this? I would only configure an IP address on the virtual interface that I actually want to be able to access/be accessed, the other virtual network cards would simply act as an interface I can bind to with a VM.

Is it still a risk even if these interfaces are not configured with an IP?

I'm not worried about a potential hacker on that server accessing other vlans but rather the opposite, a potential hacker on one of the less secure vlans accessing the server. Is this something to worry about? I doubt I would even get any hackers or malware on the other vlans, but I like to treat them in a way where if it did happen they would not be able to do much damage. Currently I only have one extra vlan and it's the wifi network, but I may put a public access one too but the firewall would only allow it to access the internet and that's it. Just want to be sure that traffic could not somehow access the other vlans through that server.

 

[timberdoodle]

This is exactly how it is done. Not sure what type of VM software you are using but in ESXi the vswitch can receive tagged packets for any vlans. Just don't configure any vlans you do not want to use. By design all tagged packets that have no destination ports are dropped.

 

[Red Squirrel]

I'm using virtualbox now but I'm looking at KVM. I'm not sure if it can do vlans directly though but I'll look into it. From what I'm reading I have to create virtual interfaces within Linux so it will look like there are multiple nics so I can just bind to them specificly if the vm software I use does not do vlaning.

With this setup, it will also allow me to setup a VM so I can keep a unifi controller up.

 

[green91]

Virtualbox doesn't do VLAN because it doesn't have direct hardware access to the NIC. Everything is pre-parsed by the OS and then forwarded to Virtualbox.

Your best option if you are using Virtualbox is like you mentioned, creating 802.1q nic sub-interfaces in Linux and then adding those interfaces to Virtualbox. Seems like I remember there being a NIC quantity limitation in Virtualbox, but I may be mistaken.

VLANs work GREAT with ESXi. If you've got the hardware to dedicate to a hypervisor I'd HIGHLY recommend it over virtualbox.

I can't comment on KVM because I haven't used it.

 

[Red Squirrel]

Cool seems like I'm on the right track, I'll read up on specifics and configure it. I will most likely be looking into KVM as well. Eventually I do want to setup ESXi or XEN on dedicated hardware, but for now I'll stick with this hybrid setup. (lot of stuff runs straight off the host). I only have 1 VM and it's non critical so it's a good time to mess with this stuff. I retired 3 critical VMs a while back since I closed down that project. (game server)