On Wed, Aug 22, 2018 at 08:16:30AM +0100, Tom Smyth wrote: > Hi Jiri > > Protected domains are like protected ports on a switch > two ports that are in the bridge with the same protected domain > will not be able to communicate with each other, > > Protected domains are implemented on the Bridge but not on > Switch in OpenBSD > > Bridge Protected domain does work from 6.3 and up > here is the output of my bridge config > cat /etc/hostname.bridge101 > up > maxaddr 16384 timeout 300 > add vio0 -stp vio0 > add vlan3993 protected vlan3993 1 -stp vlan3993 > add vlan3994 protected vlan3994 1 -stp vlan3994 > add vlan3995 protected vlan3995 1 -stp vlan3995 > add vlan3996 protected vlan3996 1 -stp vlan3996 > add vlan3997 protected vlan3997 1 -stp vlan3997 > add vlan3998 protected vlan3998 1 -stp vlan3998 > add vlan3999 protected vlan3999 1 -stp vlan3999 > add vlan4000 protected vlan4000 1 -stp vlan4000 > > protected interfacename pddomainnumber > > the vio0 address is the uplink and is not a member of the > protected domain > all the other ports that you want to isolate from each other > should be members of the same protected domain *1* in this > example > Hope this helps > > @Mike Larkin > > yes this could be implemented with Vlans and many people > do when they dont have the port isolation functionality > (necessity being the mother of invention ) ... but protected > domains allow one to use the same vlan and minimise > the amount of vlans / simplify configuration of the (network /hardware > switches)
Howdy Tom and Jiri. As Tom highlighted up above, the main reason I haven't added protected domains to vmd is because it's only available on bridge and not switch. At the moment, the network plumbing is agnostic to bridge/switch and uses ioctls that both have (adding/removing members and placement into rdomains). I'm not saying it isn't possible adding protected domains to vmd, it'll just be more work. +--+ Carlos > > Hope this Helps > Tom Smyth > > On 22 August 2018 at 07:08, Mike Larkin <mlar...@azathoth.net> wrote: > > > On Fri, Aug 17, 2018 at 06:39:22PM +0200, jirib wrote: > > > Hello, > > > > > > I was checking bridge's protected domains and I'm curious > > > how to add VMM VM's tap into a VMM switch/bridge protected domain. > > > > > > It seems it's not implemented yet. > > > > > > I wanted to achieve this: > > > > > > - multiple VMM VMs in same switch/bridge > > > - VMs cannot talk to each other inside the bridge > > > hence protected domain > > > - VMs can access uplink via bridge's vether > > > > > > Jiri > > > > > > > I am not a networking person but is this something VLANs can solve?
