Re: benefit of using Native vlan

From: Gary Duncanson (gary.duncanson@googlemail.com)
Date: Wed Jun 13 2007 - 16:29:28 ART

• Next message: John Gibson: "RE: frame-relay minCIR purpose ?"
• Previous message: Radioactive Frog: "OT: router stress test"
• Maybe in reply to: Irfan Siddiqui: "benefit of using Native vlan"
• Next in thread: anthony.sequeira@thomson.com: "RE: benefit of using Native vlan"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Yep. Clear as mud.

Wendall Odom offers this on page 766 in the R&S Official Exam Certification
Guide.

Cisco recommends not using the native VLAN on trunks. The reason is that in
some cases an attacker on an access port might be able to hop from its
access port VLAN to a trunks native VLAN by sending multiple frames that
being with multiple headers.

This attack has been proven to be ineffective against cisco switches;
however the attack takes advantage of unfortunate sequencing of programming
logic in how a switch processes frames, so best practice call for not using
native VLANs on trunks anyway. Simply put by following the best practice of
not using the native VLAN even if an attacker managed to hop VLANs if there
are no devices inside that VLAN no damage could be inflicted. In fact, Cisco
goes on to suggest using a different native VLAN for each trunk to further
restrict this type of attack.

Gary
----- Original Message -----
From: "Irfan Siddiqui" <Irfan.Siddiqui@vanco.co.uk>
To: <anthony.sequeira@thomson.com>; <ccielab@groupstudy.com>
Sent: Wednesday, June 13, 2007 7:10 PM
Subject: RE: benefit of using Native vlan

> The Cisco document is crap when it comes to explaining this... and
> contradicts it self
>
>
>
> First it says :
>
>
>
> On the other hand, the IEEE committee that defined 802.1Q decided that
> because of backward compatibility it was desirable to support the
> so-called native VLAN, that is to say, a VLAN that is not associated
> explicitly to any tag on an 802.1Q link. This VLAN is implicitly used
> for all the untagged traffic received on an 802.1Q capable port.
>
>
>
> This capability is desirable because it allows 802.1Q capable ports to
> talk to old 802.3 ports directly by sending and receiving untagged
> traffic. However, in all other cases, it may be very detrimental because
> packets associated with the native VLAN lose their tags, for example,
> their identity enforcement, as well as their Class of Service (802.1p
> bits) when transmitted over an 802.1Q link. (so it is desirable but then
> NOT so desirable !!)
>
>
>
> For these sole reasons-loss of means of identification and loss of
> classification-the use of the native VLAN should be avoided. There is a
> more subtle reason, though.
>
>
>
> Then it says
>
>
>
> .........As a matter of fact, the proper configuration that should
> always be used is to clear the native VLAN from all 802.1Q trunks
> (alternatively, setting them to 802.1q-all-tagged mode achieves the
> exact same result). In cases where the native VLAN cannot be cleared,
> then always pick an unused VLAN as native VLAN of all the trunks; don't
> use this VLAN for any other purpose. Protocols like STP, DTP, and UDLD
> (check out [3]) should be the only rightful users of the native VLAN and
> their traffic should be completely isolated from any data packets.
>
>
>
> So if you clear the native vlan (which it doesn't explain how to do
> because default native vlan would always be 1 anyways) or use
> "802.1q-all-tagged" how does this separate the management traffic
> (Protocols like STP, DTP, and UDLD) from the data traffic. Does it tag
> all management traffic with some special tag of its own (which cisco
> have not documented anywhere), which separate it from other vlan tags.
>
>
>
> There still seems to be no clear answer to this...
>
>
>
>
>
> Irfan Siddiqui
>
>
>
> V-SIP Changes Engineer
>
>
>
>
>
>
>
> Vanco UK Limited, a Vanco plc Group Company
>
>
>
> Units 1 and 2, Great West Plaza, Riverbank Way
>
>
>
> Brentford, Middlesex, TW8 9RE
>
>
>
> T +44 (0) 20 8636 1700
>
>
>
> F +44 (0) 20 8636 1701
>
>
>
> W <http://www.vanco.co.uk>
>
>
>
> E irfan.siddiqui@vanco.co.uk
>
>
>
>
>
>
>
> Vanco is the world's first Virtual Network Operator (VNO). Available in
> 230 countries and territories, clients can achieve maximum network
> choice and flexibility, lowest lifetime cost, and a dedicated focus on
> service excellence. To find out more please visit our website
> http://www.vanco.info
>
>
>
>
>
>
>
> Vanco.
>
>
>
> Ultimate Network Freedom
>
>
>
>
>
> -----Original Message-----
> From: anthony.sequeira@thomson.com [mailto:anthony.sequeira@thomson.com]
>
> Sent: 13 June 2007 17:47
> To: Irfan Siddiqui; ccielab@groupstudy.com
> Subject: RE: benefit of using Native vlan
>
>
>
> For a couple of examples on why the Native VLAN can be dangerous, check
>
> out the Double-Encapsulated 802.1Q/Nested VLAN Attack section of the
>
> following document:
>
>
>
> http://www.cisco.com/en/US/products/hw/switches/ps708/products_white_pap
>
> er09186a008013159f.shtml
>
>
>
> As far as setting the Native VLAN to an Inactive VLAN, I have not
>
> verified, but I assume this effectively eliminates the Native VLAN
>
> behavior. All traffic sent across the link will be tagged.
>
>
>
> Some of Cisco's other security recommendations in this area include
>
> creating a Management traffic VLAN other than VLAN 1, and placing all
>
> ports in your network that you will not use into a VLAN other than VLAN
>
> 1.
>
>
>
> So you notice - we really pick on the default VLAN of VLAN 1. It was the
>
> default Native VLAN, and we eliminate that. We also remove ALL ports
>
> from this VLAN.
>
>
>
> Anthony J Sequeira
>
> #15626
>
>
>
> -----Original Message-----
>
> From: Irfan Siddiqui [mailto:Irfan.Siddiqui@vanco.co.uk]
>
> Sent: Wednesday, June 13, 2007 12:33 PM
>
> To: Sequeira, Anthony (NETg); ccielab@groupstudy.com
>
> Subject: RE: benefit of using Native vlan
>
>
>
> You mention there are security issues in configuring a native vlan, what
>
> are these??
>
>
>
> Also if you configure a native vlan that doesn't actually exist in the
>
> vlan database.. how does that work... does that mean untagged and
>
> management taffic will just flow over a phantom vlan that doesn't
>
> exist....
>
>
>
> Please explain....
>
>
>
> Would appreciate......
>
>
>
> Irfan Siddiqui
>
>
>
> V-SIP Changes Engineer
>
>
>
>
>
>
>
> Vanco UK Limited, a Vanco plc Group Company
>
>
>
> Units 1 and 2, Great West Plaza, Riverbank Way
>
>
>
> Brentford, Middlesex, TW8 9RE
>
>
>
> T +44 (0) 20 8636 1700
>
>
>
> F +44 (0) 20 8636 1701
>
>
>
> W <http://www.vanco.co.uk>
>
>
>
> E irfan.siddiqui@vanco.co.uk
>
>
>
>
>
>
>
> Vanco is the world's first Virtual Network Operator (VNO). Available in
>
> 230 countries and territories, clients can achieve maximum network
>
> choice and flexibility, lowest lifetime cost, and a dedicated focus on
>
> service excellence. To find out more please visit our website
>
> http://www.vanco.info
>
>
>
>
>
>
>
> Vanco.
>
>
>
> Ultimate Network Freedom
>
>
>
>
>
> -----Original Message-----
>
> From: anthony.sequeira@thomson.com [mailto:anthony.sequeira@thomson.com]
>
>
>
> Sent: 13 June 2007 17:19
>
> To: Irfan Siddiqui; ccielab@groupstudy.com
>
> Subject: RE: benefit of using Native vlan
>
>
>
> I believe the concept of the Native VLAN originally arose as a safety
>
> mechanism for Management traffic. For example, if a trunk link loses its
>
> trunk status, the link can still pass the Management traffic as it is
>
> not tagged.
>
>
>
> Because there are security issues that the Native VLAN can introduce,
>
> Cisco currently recommends that in high security environments, the
>
> Native VLAN be set to an Inactive VLAN. In other words, set it to a VLAN
>
> that does NOT exist in your topology. The trunk link will still work
>
> just fine, and when you check the trunk status it will show that the
>
> Native VLAN is Inactive.
>
>
>
> Keep in mind that in the Certification Lab, we need to do whatever they
>
> instruct us to do. As many have pointed out here before, the Lab Exam is
>
> not a Best Practice type of test. If in the lab, they never mention
>
> Native VLAN at all, explicitly or implicitly, then I would just leave it
>
> alone (default settings).
>
>
>
> Anthony J Sequeira
>
> #15626
>
>
>
> -----Original Message-----
>
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
>
> Irfan Siddiqui
>
> Sent: Wednesday, June 13, 2007 11:13 AM
>
> To: Cisco certification
>
> Subject: benefit of using Native vlan
>
>
>
> Wonder if someone can advise...
>
>
>
> What is the benefit of using a native vlan on a trunk. If you don't
>
> define a native vlan on a trunk, I believe it uses vlan 1 as the native
>
> vlan to pass the untag management traffic..
>
>
>
> If you do define a native vlan, it will use that vlan to pass all the
>
> untagged traffic... and you need to match it on both ends...
>
>
>
> Also I believe there is a command to the effect that you can configure
>
> native vlan to send tagged traffic as well.. dot1q tag native or
>
> something....
>
>
>
>
>
> But what is the benefit of configuring a native vlan vs . not
>
> configuring one at all..
>
>
>
> Does it have any other benefit, besides specifying what vlan to send
>
> untagged traffic ?
>
>
>
> Please help. Thanks in advance..
>
>
>
>
>
> **********************************************************************
>
> Any opinions expressed in the email are those of the individual and not
>
> necessarily the company. This email and any files transmitted with it
>
> are confidential and solely for the use of the intended recipient. If
>
> you are not the intended recipient or the person responsible for
>
> delivering it to the intended recipient, be advised that you have
>
> received this email in error and that any dissemination, distribution,
>
> copying or use is strictly prohibited.
>
>
>
> If you have received this email in error, or if you are concerned with
>
> the content of this email please e-mail to:
>
> e-security.support@vanco.info
>
>
>
> The contents of an attachment to this e-mail may contain software
>
> viruses which could damage your own computer system. While the sender
>
> has taken every reasonable precaution to minimise this risk, we cannot
>
> accept liability for any damage which you sustain as a result of
>
> software viruses. You should carry out your own virus checks before
>
> opening any attachments to this e-mail.
>
>
>
> Vanco UK Ltd Registered in England No: 2296733 Registered Office: John
>
> Busch House, 277 London Road, Isleworth, Middlesex TW7 5AX
>
>
>
> Please consider the environment before printing this e-mail
>
> **********************************************************************
>
>
>
> _______________________________________________________________________
>
> Subscription information may be found at:
>
> http://www.groupstudy.com/list/CCIELab.html
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

• Next message: John Gibson: "RE: frame-relay minCIR purpose ?"
• Previous message: Radioactive Frog: "OT: router stress test"
• Maybe in reply to: Irfan Siddiqui: "benefit of using Native vlan"
• Next in thread: anthony.sequeira@thomson.com: "RE: benefit of using Native vlan"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Sun Jul 01 2007 - 17:24:49 ART