Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

A: In short, this is prohibited by the Xen hypervisor on the base OS (Dom0).

The more detailed answer is that Dom0 creates a bridge from a physical interface on the base box to the instance and controls where traffic coming from that virtual NIC goes.  Security is achieved because the bridge works like this: Base Box VLAN sub interface <--> instance eth0.

Example:

1) The interface peth0.2999 is the physical eth0 using VLAN2999 tagging.
2) The bridge xenbrVLAN2999 is attaching vif4.0 with peth0.2999 which means that any traffic coming into interface vif4.0 is leaving out the physical interface tagged on VL2999, and conversely any traffic coming into the physical interface with VLAN2999 tagging will be sent to vif4.0.
3) Xen then presents vif4.0 to the instance as eth0.
4) The result is that the instance ethernet interface is successfully confined to VLAN2999.

...