All,
Apologies for the rookie questions, but this is my first dive into Linux and systemd, so I'm hoping someone with better knowledge than myself can help here.
I have a physical server running Clear Linux as the host OS. It has two physical 1 Gbps ethernet ports. I'm building a configuration that will host a virtual firewall (amongst other VM's, which the virtual firewall needs to protect).
I've managed to get my knickers in a knot about what a 'bridge' (br0) actually is/does in Linux. I'm not a hell of a lot clearer after reading the link below, other than to say that I think a virtual bridge and a virtual switch amount to the same thing: What's the difference between a bridge and a switch?
I have multiple untrusted and multiple trusted vlans that are being trunked on separate physical interfaces from a hardware switch using 802.1q. I want to ensure that the traffic on these VLANs remain completely separate, including their broadcast traffic, once they hit the KVM host and its virtual network config.
My plan was to create a br0 and a br1 on the KVM host and then attach those virtual bridges to their respective physical interfaces on the host server. Those physical NIC's are cabled to separate interfaces on the hardware switch, with the interfaces trunking only trusted vlans on one port, and filthy, smelly untrusted internet like vlans on the other.
It seems you can indeed do VLANs via br's that are configured on a KVM host, in order to get tagged vlans exposed to KVM guest domains, when using an OS employing systemd (such as Clear Linux), as per this smart cookie who did much the same with Debian: http://wiki.hoeft-online.de/VLAN_for_virtual_machines#linux_bridge_with_libvirt_hook_scripts
My actual questions:
- Are linux bridges vlan transparent? (the above implies not, but other articles say they are..)
- Does a linux 'bridge' keep broadcast traffic separate amongst tagged vlans?
- Does it keep broadcasts separate between the untagged (native) vlan and tagged vlans?
- Could you put the logical br0 and br1 on the same physical interface on the host, and still keep your traffic completely separate?
- If the vlans are tagged, do I even need two logically separate bridges?
At the moment I'm imaging br0 and br1 as sepearte physical switches plugged into two different ports of a physical firewall (which would actually be a VM running on the KVM host)....but I'm not sure if I have that correct?
I'm just not clear if I'm creating a security hazard in this process or not. Any clarity would be greatly appreciated.
Cheers