One Response

  1. Justin Vocke
    Justin Vocke at |

    So it looks like there are 3 modes or ways in which you can tag packets in order for the VMs to pass 802.1q packets. I stumbled upon http://www.vmware.com/pdf/vi3_security_architecture_wp.pdf which lists the 3 different ways in which it can be done.

    One of the biggest fears I have with servers being able to sit on the other end of trunk ports is VMs being able to spoof 802.1q tags, and hop VLANs that they shouldn’t be on.

    Here is an excerpt from that whitepaper:
    Virtual switch tagging (VST mode) — In this mode, you
    provision one port group on a virtual switch for each VLAN,
    then attach the virtual machine’s virtual adapter to the port
    group instead of the virtual switch directly. The virtual switch
    port group tags all outbound frames and removes tags for all
    inbound frames. It also ensures that frames on one VLAN do
    not leak into a different VLAN.

    I wonder if this means that the other two modes, EST and VGT shouldn’t be used.

    Reply

Share your point of view!