VLAN tagging separates network traffic between virtual desktops running on a single XenClient-powered end-point device, enabling organizations to meet strict security and compliance requirements. Why would organizations care about this? It’s valuable in any use case where a different level of security or isolation is required in one virtual desktop vs. another – for example a corporate vs. a personal desktop, or a desktop that’s used for general use vs. one that’s used for credit card transactions in a retail environment (to meet PCI compliance requirements).
This powerful network security capability was added in XenClient Enterprise 4.5, which is included as a part of XenDesktop Enterprise. XenClient Enterprise 4.5 was announced last fall at Synergy Barcelona 2012 (see XenClient 4.5 product launch blog for a complete list of the new features in this release). As part of an ongoing series of technical blogs regarding XenClient 4.5 features – this blog takes a deep dive into the VLAN tagging functionality in XenClient.
To understand what VLAN tagging is, consider the characteristics of a LAN (local area network). A LAN is defined as all devices in the same broadcast domain where routers stop broadcasts and switches forward broadcasts.
A VLAN (virtual LAN) is a broadcast domain created by switches and is a method of creating independent logical networks within a physical network. Normally, a router creates broadcast domains. This is achieved by putting some switch ports in a VLAN other than the default VLAN 1. All ports in a single VLAN are then in a single broadcast domain. As an example, some ports on switch A can be in VLAN 10 and other ports on switch B can be in VLAN 10. Broadcasts between these devices will not be seen on any other port in any other VLAN, other than 10. However, these devices can all communicate because they are on the same VLAN. Without additional configuration, they would not be able to communicate with any other devices not in their VLAN.
When VLANs span multiple switches, VLAN tagging is required. VLAN tagging is the process of inserting a VLAN ID into a packet header in order to identify which VLAN the packet belongs to. More specifically, switches use the VLAN ID to determine to which port(s) or interface(s) to send a broadcast packet.
Typically, VLANs segment services traditionally provided by routers in LAN configurations and address issues such as scalability, security, and network management. VLANs can also help create multiple layer 3 networks on a layer 2 switch. For example, if a PXE server is plugged into a switch it will serve any host on that switch which is configured to PXE boot from a PXE server. VLANs enable isolation of the PXE server so only hosts in that VLAN will not use the PXE server.
How does XenClient leverage VLAN tagging capabilities? Centrally from a XenClient Synchronizer policy, you can VLAN tag a virtual machine guest in the XenClient Engine. This enables segregation of the virtual machine broadcast traffic to a specific VLAN. This feature requires a bridged mode, wired connection:
This feature enables many use cases. One particular customer uses XenClient Enterprise to run two Windows virtual machines in strict isolation. Virtual machine A is used to perform business functions like credit card transactions while virtual machine B is used to perform day-to-day functions like social media marketing, email and web surfing. The customer segregates the traffic in virtual machine A from virtual machine B in order to meet credit card transaction compliance requirements (PCI). VLAN tagging enables this isolation and segregates the broadcast traffic of virtual machine A from virtual machine B even though they are on the same device (see diagram below). This is one example of many, so feel free to share others in the comments section.
If you want to see more details on VLAN tagging in XenClient, check out the following detailed Technote: Configuring VLANs using XenClient Enterprise (link: http://support.citrix.com/article/CTX134755).
XenClient 4.5 is packed full of great improvements and functionalities that are making client-side virtualization become more feasible for a wider array of use cases.
Read more about the release of XenClient 4.5 and watch the announcement video to learn more about this release. XenClient is a production-ready client virtualization solution with thousands of desktops in deployment today. We encourage you to try it today by downloading XenClient 4.5.
Join the conversation by connecting with the Citrix XenClient team online!
- Watch the New Display Architecture with XenClient Enterprise 4.5 video
- View the XenClient product page
- Follow us on Twitter
- Like us on Facebook
- Visit our XenClient Technical Forum