Tim Bazzie
Hello Xen World,

I have the need to prevent all communication between guest VMs across the hypervisor and to force all such requests to exit the hypervisor and be handled by the switching/routing infrastructure. In some cases, this has been achieved by isolating VMs using VLAN tagging. Unfortunately, the management and backup networks have been constructed as flat layer-2 networks that enforce separation using Cisco's private VLAN security model. Since private VLAN does not appear to be honored within the hypervisor itself, the VMs connected to these networks are free to interact using the local bridge(s).

I suspect that using ebtables to filter traffic across the bridges such that any traffic both sourced from AND destined to the set of MAC addresses allocated to the VMs be dropped would do the trick. Unfortunately, the ebtables documentation I have been able to find has been quite unhelpful to me.

Can anyone suggest a better alternative, or perhaps guidance on how to properly construct the chain(s) required to implement this?


