1) The interface
peth0.2999 is the physical eth0 using VLAN2999 vl2999 tagging.
2) The bridge
xenbrVLAN2999 is attaching
peth0.2999 which means that any traffic coming into interface
vif4.0 is leaving out the physical interface tagged on VL2999vl2999, and conversely any traffic coming into the physical interface with VLAN2999 vl2999 tagging will be sent to
3) Xen then presents
vif4.0 to the instance as
4) The result is that the instance ethernet interface is successfully confined to VLAN2999.
If the customer created an interface
eth0.2000 in attempt to sneak into our management VLAN, they would be sending tagged frames to
vif4.0, which would then be sent to the switch with VLAN2999 vl2999 tagging. The Ethernet switch would only see the VLAN2999 vl2999 tag and place that traffic into VL2999VLAN2999, and the vl2000 tag would have no impact.