Re: 802.1q native vlan( further question on VLAN hopping

From: Rick (ccie_2003@hotmail.com)
Date: Wed Oct 09 2002 - 14:21:31 GMT-3

Thanks Brian,

I wander if anyone else in the group has any knowledge on this? I need some
hard facts to why it would not be a security issue. Do you know where those
studies are located on the bug notices. The real concern is that a hacker
could jump vlans to access user data on another VLAN. So the third party is
saying there must be more than just VLAN separation, which could only be
physical separation. I'm trying to sell them on the fact that it can't be
done. Any thoughts on this are much appreciated.

    Also, if anyone would like to share the security practice for protecting
a switched network please do so.

For instance I always set tunk off on all ports and clear all vlans from all
ports because someone could set the other side of the port to desirable and
build a link, etc.

Thanks,
Rick
----- Original Message -----
From: "Brian McGahan" <brian@cyscoexpert.com>
To: "'Rick'" <ccie_2003@hotmail.com>
Sent: Wednesday, October 09, 2002 11:23 AM
Subject: RE: 802.1q native vlan( further question on VLAN hopping -security
issue)

> Rick,
>
> I can't really think of a case where this would be a problem.
> Remember, tags are only on trunk links. If someone spoofed a .1q header
> on an access link, I'd bet that the switch would just drop the frame.
>
> Personally I think that vlan separation is enough. I have read
> some bug notices where traffic has leaked between vlans however, but
> these have been addressed. If your customer is worried about security,
> have them run IPSEC. Especially on the LAN, IPSEC will add negligible
> delay. There are many nic cards today that will do it in hardware.
>
> HTH
>
> Brian McGahan, CCIE #8593
> Director of Design and Implementation
> brian@cyscoexpert.com
>
> CyscoExpert Corporation
> Internetwork Consulting & Training
> http://www.cyscoexpert.com
> Voice: 847.674.3392
> Fax: 847.674.2625
>
>
> > -----Original Message-----
> > From: Rick [mailto:ccie_2003@hotmail.com]
> > Sent: Wednesday, October 09, 2002 7:36 AM
> > To: Ccielab (E-mail); Brian McGahan
> > Subject: Re: 802.1q native vlan( further question on VLAN hopping -
> > security issue)
> >
> > Brian,
> >
> > There has been a big discussion lately about VLANs and security in
> regards
> > to keeping different flows of traffic separate and protected. Do you
> see
> > anyway someone could manipulate dot1q tags to compromise data
> integrity
> > between organizations? There is a 3rd party telling me that his
> traffic
> > should be on a separate switch that VLAN separation was not enough.
> How
> > can
> > I support that it is enough separation?
> >
> > Thanks,
> > Rick
> > ----- Original Message -----
> > From: "Brian McGahan" <brian@cyscoexpert.com>
> > To: "'Chris'" <clarson52@comcast.net>; "'P729'" <p729@cox.net>;
> > "'chenyan'"
> > <chenyan@deeptht.com.cn>; "'ccielab'" <ccielab@groupstudy.com>
> > Sent: Sunday, October 06, 2002 3:50 PM
> > Subject: RE: 802.1q native vlan
> >
> >
> > > Chris,
> > >
> > > You're overcomplicating the issue. Let's assume that your
> > > native vlan is vlan 10. This means that all traffic received on a
> .1q
> > > trunk link that does not have a tag, belongs to vlan 10. Remember
> that
> > > tagging only happens on the trunk line, the tag values are not
> carried
> > > over access links (non trunk links).
> > >
> > > If traffic is generated by a host in vlan 10, and this traffic
> > > must traverse the .1q trunk, the packet will not be tagged. When
> the
> > > switch on the other end of the trunk receives the frame, it knows
> that
> > > this frame belongs to vlan 10, since the packet is untagged, and the
> > > native vlan is 10. Your native vlan must match between all switches,
> > > otherwise you will have traffic leaking between vlans. That case is
> as
> > > follows.
> > >
> > > Take the same situation, a host in vlan 10 generates a packet
> > > that traverses a .1q trunk. The switch which this host is attached
> has
> > > vlan 10 designated as the native vlan, however the switch on the
> other
> > > side has vlan 20 designated as the native vlan. When the switch on
> the
> > > remote side receives this packet, it assumes that the packet belongs
> to
> > > vlan 20, and forwards it appropriately. This results in incorrect
> > > forwarding, since the packet should actually be destined for vlan
> 10.
> > >
> > > HTH
> > >
> > > Brian McGahan, CCIE #8593
> > > Director of Design and Implementation
> > > brian@cyscoexpert.com
> > >
> > > CyscoExpert Corporation
> > > Internetwork Consulting & Training
> > > http://www.cyscoexpert.com
> > > Voice: 847.674.3392
> > > Fax: 847.674.2625
> > >
> > >
> > > > -----Original Message-----
> > > > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On
> Behalf
> > > Of
> > > > Chris
> > > > Sent: Sunday, October 06, 2002 2:13 PM
> > > > To: P729; chenyan; ccielab
> > > > Subject: Re: 802.1q native vlan
> > > >
> > > > I have been looking through the Docs and indeed it does say that
> > > native
> > > > vlan traffic is not tagged. I guess I have missed that when
> reading
> > > the
> > > > switching docs previously, and was always taught that all traffic
> is
> > > > tagged.
> > > >
> > > > Thanks for the clarification.
> > > >
> > > > This would also mean that it is restricted to the native vlan then
> > > right?
> > > > Without a tag it could not be forwarded to any other vlan.
> > > >
> > > >
> > > >
> > > > ----- Original Message -----
> > > > From: "P729" <p729@cox.net>
> > > > To: "Chris" <clarson52@comcast.net>; "chenyan"
> > > <chenyan@deeptht.com.cn>;
> > > > "ccielab" <ccielab@groupstudy.com>
> > > > Sent: Sunday, October 06, 2002 2:05 PM
> > > > Subject: Re: 802.1q native vlan
> > > >
> > > >
> > > > > "Any untagged frames will get tagged..."
> > > > >
> > > > > Mmmm...sounds kinda contradictory doesn't it? Actually, frames
> > > assigned
> > > > to
> > > > > the native VLAN of the trunk are sent untagged across the trunk,
> > > period.
> > > > But
> > > > > one might ask, "how would the switches on each end know when
> there's
> > > a
> > > > > native VLAN mismatch?" The answer for Cisco switches is through
> CDP.
> > > If
> > > > CDP
> > > > > is disabled or not available, then they wouldn't know and you
> can
> > > pretty
> > > > > much bridge the two VLANs together and maybe not know it...
> > > > >
> > > > > Regards,
> > > > >
> > > > > Mas Kato
> > > > > https://ecardfile.com/id/mkato
> > > > > ----- Original Message -----
> > > > > From: "Chris" <clarson52@comcast.net>
> > > > > To: "chenyan" <chenyan@deeptht.com.cn>; "ccielab"
> > > > <ccielab@groupstudy.com>
> > > > > Sent: Sunday, October 06, 2002 9:48 AM
> > > > > Subject: Re: 802.1q native vlan
> > > > >
> > > > >
> > > > > Any untagged frames will get tagged to the native vlan and
> travel
> > > the
> > > > native
> > > > > vlan.
> > > > >
> > > > >
> > > > > ----- Original Message -----
> > > > > From: "chenyan" <chenyan@deeptht.com.cn>
> > > > > To: "ccielab" <ccielab@groupstudy.com>
> > > > > Sent: Sunday, October 06, 2002 11:13 AM
> > > > > Subject: 802.1q native vlan
> > > > >
> > > > >
> > > > > > hi,guys
> > > > > >
> > > > > > I want to know why there is native vlan for 802.1q and what is
> > > that
> > > > for?
> > > > > >
> > > > > > Thanks

This archive was generated by hypermail 2.1.4 : Tue Nov 05 2002 - 08:35:45 GMT-3