From: Narbik Kocharians (narbikk@gmail.com)
Date: Wed Oct 22 2008 - 10:39:30 ARST
The answer is *VLAN Hopping;*
Let's assume that R1 is connected to SW1 and SW1 has a trunk to SW2 and R2
is connected to SW2.
R1 and R2 are configured in VLAN 100.
*Scenario #1*
* *
*R1 needs to talk to R2:*
R1 sends traffic to SW1
SW1 internally tags the traffic with VLAN 100
This tag is maintained through the trunk from SW1 to SW2
SW2 un-tags the traffic and sends it to R2
*Scenario #2*
Let's say in this scenario the Native VLAN is set to 100.
R1 sends traffic to SW1
SW1 internally tags the traffic with VLAN 100
SW1 removes the tag and sends the traffic to SW2 un-tagged
SW2 receives the traffic un-tagged and it assumes that the traffic belongs
to its Native VLAN, therefore, SW2 sends the traffic to R2.
*Scenario #3*
SW1's end of the trunk is configured with a Native VLAN of 100
SW2's end of the trunk is configured with a Native VLAN of 200
R1 is in VLAN 100 and R2 is in VLAN 200
R1 sends the traffic to SW1
SW1 maintains the tag locally
SW1 removes the tag and sends the traffic in its native form
SW2 receives the traffic and it does not see a tag, therefore, it assumes
that the traffic belongs to its Native VLAN, in this case VLAN 200 and sends
the traffic to R2
*Note VLAN hopping was performed.*
There are other cases and ways that VLAN hopping can occur, there is a free
download of a program called *Yersinia* that will let you do VLAN hopping.
*Ways to mitigate the attack:*
1. Ensure that the ports are not part of Native VLAN
2. Clear/Prune the Native VLAN from the trunk:
Swi allow Vlan remove 100
1. Make sure that the traffic is always tagged:
Vlan dot1q tag native
*And on the bigger switch boxes this can be done on a per
interface basis:*
Int F0/1
Swi trunk native vlan tag
On Wed, Oct 22, 2008 at 5:18 AM, lei tian <again.tl@gmail.com> wrote:
> Hi stephen,
>
> As I understand "dot1q tag native" is more like best practice. Without that
> command dot1q tunneling will have problem only when customer trunk site and
> SP trunk side use same native vlan, and customer use native vlan carry data
> traffic.
> Never have chance to test it, anyone who lab it can commend on it.
>
> HTH,
>
> Lei
>
> On Wed, Oct 22, 2008 at 5:30 AM, stephen skinner <stephenski@gmail.com
> >wrote:
>
> > Hello,
> >
> > i was wondering if i could ask some opinions
> >
> > i have seen this command used in various dot1q Tunnel senario`s.
> >
> > But i am still a little sketchy as to when i should use the above
> command.
> >
> > a re-read of the CCO has made me non the wiser.
> >
> > from the CCO
> > "You CAN use this command with the IEEE 802.1Q tunneling feature
> > This feature operates on an edge switch of a service-provider network and
> > expands VLAN space by using a VLAN-in-VLAN hierarchy and tagging the
> tagged
> > packets"
> >
> > Should i use this command eveytime i configure a QinQ tunnel ?.
> >
> > If not , what sort of statements should i be looking for in question to
> > lead
> > me towards using this command ?,
> >
> > any help would be greatly appreciated
> >
> > TIA
> >
> > --
> > Only two things are infinite, the universe and human stupidity, and I'm
> not
> > sure about the former.
> >
> >
> > Blogs and organic groups at http://www.ccie.net
> >
> > _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
>
>
>
>
>
>
-- Narbik Kocharians CCSI#30832, CCIE# 12410 (R&S, SP, Security) www.MicronicsTraining www.Net-Workbooks.com Sr. Technical InstructorBlogs and organic groups at http://www.ccie.net
This archive was generated by hypermail 2.1.4 : Sat Nov 01 2008 - 15:35:22 ARST