Re: Vlan dot1q tag Native

From: sheherezada@gmail.com
Date: Wed Oct 22 2008 - 11:02:37 ARST

• Next message: Scott Morris: "RE: BGP Cond Route Injection"
• Previous message: Narbik Kocharians: "Re: Vlan dot1q tag Native"
• Maybe in reply to: stephen skinner: "Vlan dot1q tag Native"
• Next in thread: Scott M Vermillion: "RE: Vlan dot1q tag Native"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Just a side note: 'vlan dot1q tag native' might mess up your access
traffic, if a PC is behind an IP phone. When you configure
'switchport voice vlan', your port actually becomes a trunk and you PC
will not know what to do with a tagged frame...

Otherwise, I do a agree that this is a good security measure (and also
necessary when doing QinQ and playing with VMWare).

Mihai

On Wed, Oct 22, 2008 at 3:39 PM, Narbik Kocharians <narbikk@gmail.com> wrote:
> The answer is *VLAN Hopping;*
>
>
>
> Let's assume that R1 is connected to SW1 and SW1 has a trunk to SW2 and R2
> is connected to SW2.
>
>
>
> R1 and R2 are configured in VLAN 100.
>
>
>
> *Scenario #1*
>
> * *
>
> *R1 needs to talk to R2:*
>
> R1 sends traffic to SW1
>
> SW1 internally tags the traffic with VLAN 100
>
> This tag is maintained through the trunk from SW1 to SW2
>
> SW2 un-tags the traffic and sends it to R2
>
>
>
> *Scenario #2*
>
>
>
> Let's say in this scenario the Native VLAN is set to 100.
>
> R1 sends traffic to SW1
>
> SW1 internally tags the traffic with VLAN 100
>
> SW1 removes the tag and sends the traffic to SW2 un-tagged
>
> SW2 receives the traffic un-tagged and it assumes that the traffic belongs
> to its Native VLAN, therefore, SW2 sends the traffic to R2.
>
>
>
> *Scenario #3*
>
>
>
> SW1's end of the trunk is configured with a Native VLAN of 100
>
> SW2's end of the trunk is configured with a Native VLAN of 200
>
> R1 is in VLAN 100 and R2 is in VLAN 200
>
>
>
> R1 sends the traffic to SW1
>
> SW1 maintains the tag locally
>
> SW1 removes the tag and sends the traffic in its native form
>
> SW2 receives the traffic and it does not see a tag, therefore, it assumes
> that the traffic belongs to its Native VLAN, in this case VLAN 200 and sends
> the traffic to R2
>
> *Note VLAN hopping was performed.*
>
>
>
> There are other cases and ways that VLAN hopping can occur, there is a free
> download of a program called *Yersinia* that will let you do VLAN hopping.
>
>
>
> *Ways to mitigate the attack:*
>
>
>
> 1. Ensure that the ports are not part of Native VLAN
> 2. Clear/Prune the Native VLAN from the trunk:
>
> Swi allow Vlan remove 100
>
>
>
> 1. Make sure that the traffic is always tagged:
>
> Vlan dot1q tag native
>
>
>
> *And on the bigger switch boxes this can be done on a per
> interface basis:*
>
>
>
> Int F0/1
>
> Swi trunk native vlan tag
>
>
> On Wed, Oct 22, 2008 at 5:18 AM, lei tian <again.tl@gmail.com> wrote:
>
>> Hi stephen,
>>
>> As I understand "dot1q tag native" is more like best practice. Without that
>> command dot1q tunneling will have problem only when customer trunk site and
>> SP trunk side use same native vlan, and customer use native vlan carry data
>> traffic.
>> Never have chance to test it, anyone who lab it can commend on it.
>>
>> HTH,
>>
>> Lei
>>
>> On Wed, Oct 22, 2008 at 5:30 AM, stephen skinner <stephenski@gmail.com
>> >wrote:
>>
>> > Hello,
>> >
>> > i was wondering if i could ask some opinions
>> >
>> > i have seen this command used in various dot1q Tunnel senario`s.
>> >
>> > But i am still a little sketchy as to when i should use the above
>> command.
>> >
>> > a re-read of the CCO has made me non the wiser.
>> >
>> > from the CCO
>> > "You CAN use this command with the IEEE 802.1Q tunneling feature
>> > This feature operates on an edge switch of a service-provider network and
>> > expands VLAN space by using a VLAN-in-VLAN hierarchy and tagging the
>> tagged
>> > packets"
>> >
>> > Should i use this command eveytime i configure a QinQ tunnel ?.
>> >
>> > If not , what sort of statements should i be looking for in question to
>> > lead
>> > me towards using this command ?,
>> >
>> > any help would be greatly appreciated
>> >
>> > TIA
>> >
>> > --
>> > Only two things are infinite, the universe and human stupidity, and I'm
>> not
>> > sure about the former.
>> >
>> >
>> > Blogs and organic groups at http://www.ccie.net
>> >
>> > _______________________________________________________________________
>> > Subscription information may be found at:
>> > http://www.groupstudy.com/list/CCIELab.html
>>
>>
>> Blogs and organic groups at http://www.ccie.net
>>
>> _______________________________________________________________________
>> Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html
>>
>>
>>
>>
>>
>>
>>
>>
>
>
> --
> Narbik Kocharians
> CCSI#30832, CCIE# 12410 (R&S, SP, Security)
> www.MicronicsTraining
> www.Net-Workbooks.com
> Sr. Technical Instructor
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

Blogs and organic groups at http://www.ccie.net

• Next message: Scott Morris: "RE: BGP Cond Route Injection"
• Previous message: Narbik Kocharians: "Re: Vlan dot1q tag Native"
• Maybe in reply to: stephen skinner: "Vlan dot1q tag Native"
• Next in thread: Scott M Vermillion: "RE: Vlan dot1q tag Native"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Sat Nov 01 2008 - 15:35:22 ARST