From: Narbik Kocharians (narbikk@gmail.com)
Date: Wed Oct 22 2008 - 23:22:31 ARST
When you use the "VLAN dot1q tag Native" you are tagging the Native VLAN.
On Wed, Oct 22, 2008 at 5:54 PM, stephen skinner <stephenski@gmail.com>wrote:
> one quick question please.
>
> in senario 3 ,
>
> if R1 was connected to SW1 as a trunk , say vlans 100, and 10 , with the
> native vlan on that trunk being vlan 10
>
> and i used the "VLAN DOT1Q TAG NATIVE" command
>
> would the packets still take the native vlan of the SW1-SW2 trunk ?.
>
> many thanks
>
>
>
> On Wed, Oct 22, 2008 at 8:39 PM, Narbik Kocharians <narbikk@gmail.com>wrote:
>
>> The answer is *VLAN Hopping;*
>>
>>
>>
>> Let's assume that R1 is connected to SW1 and SW1 has a trunk to SW2 and R2
>> is connected to SW2.
>>
>>
>>
>> R1 and R2 are configured in VLAN 100.
>>
>>
>>
>> *Scenario #1*
>>
>> * *
>>
>> *R1 needs to talk to R2:*
>>
>> R1 sends traffic to SW1
>>
>> SW1 internally tags the traffic with VLAN 100
>>
>> This tag is maintained through the trunk from SW1 to SW2
>>
>> SW2 un-tags the traffic and sends it to R2
>>
>>
>>
>> *Scenario #2*
>>
>>
>>
>> Let's say in this scenario the Native VLAN is set to 100.
>>
>> R1 sends traffic to SW1
>>
>> SW1 internally tags the traffic with VLAN 100
>>
>> SW1 removes the tag and sends the traffic to SW2 un-tagged
>>
>> SW2 receives the traffic un-tagged and it assumes that the traffic belongs
>> to its Native VLAN, therefore, SW2 sends the traffic to R2.
>>
>>
>>
>> *Scenario #3*
>>
>>
>>
>> SW1's end of the trunk is configured with a Native VLAN of 100
>>
>> SW2's end of the trunk is configured with a Native VLAN of 200
>>
>> R1 is in VLAN 100 and R2 is in VLAN 200
>>
>>
>>
>> R1 sends the traffic to SW1
>>
>> SW1 maintains the tag locally
>>
>> SW1 removes the tag and sends the traffic in its native form
>>
>> SW2 receives the traffic and it does not see a tag, therefore, it assumes
>> that the traffic belongs to its Native VLAN, in this case VLAN 200 and sends
>> the traffic to R2
>>
>> *Note VLAN hopping was performed.*
>>
>>
>>
>> There are other cases and ways that VLAN hopping can occur, there is a
>> free download of a program called *Yersinia* that will let you do VLAN
>> hopping.
>>
>>
>>
>> *Ways to mitigate the attack:*
>>
>>
>>
>> 1. Ensure that the ports are not part of Native VLAN
>> 2. Clear/Prune the Native VLAN from the trunk:
>>
>> Swi allow Vlan remove 100
>>
>>
>>
>> 1. Make sure that the traffic is always tagged:
>>
>> Vlan dot1q tag native
>>
>>
>>
>> *And on the bigger switch boxes this can be done on a per
>> interface basis:*
>>
>>
>>
>> Int F0/1
>>
>> Swi trunk native vlan tag
>>
>>
>> On Wed, Oct 22, 2008 at 5:18 AM, lei tian <again.tl@gmail.com> wrote:
>>
>>> Hi stephen,
>>>
>>> As I understand "dot1q tag native" is more like best practice. Without
>>> that
>>> command dot1q tunneling will have problem only when customer trunk site
>>> and
>>> SP trunk side use same native vlan, and customer use native vlan carry
>>> data
>>> traffic.
>>> Never have chance to test it, anyone who lab it can commend on it.
>>>
>>> HTH,
>>>
>>> Lei
>>>
>>> On Wed, Oct 22, 2008 at 5:30 AM, stephen skinner <stephenski@gmail.com
>>> >wrote:
>>>
>>> > Hello,
>>> >
>>> > i was wondering if i could ask some opinions
>>> >
>>> > i have seen this command used in various dot1q Tunnel senario`s.
>>> >
>>> > But i am still a little sketchy as to when i should use the above
>>> command.
>>> >
>>> > a re-read of the CCO has made me non the wiser.
>>> >
>>> > from the CCO
>>> > "You CAN use this command with the IEEE 802.1Q tunneling feature
>>> > This feature operates on an edge switch of a service-provider network
>>> and
>>> > expands VLAN space by using a VLAN-in-VLAN hierarchy and tagging the
>>> tagged
>>> > packets"
>>> >
>>> > Should i use this command eveytime i configure a QinQ tunnel ?.
>>> >
>>> > If not , what sort of statements should i be looking for in question to
>>> > lead
>>> > me towards using this command ?,
>>> >
>>> > any help would be greatly appreciated
>>> >
>>> > TIA
>>> >
>>> > --
>>> > Only two things are infinite, the universe and human stupidity, and I'm
>>> not
>>> > sure about the former.
>>> >
>>> >
>>> > Blogs and organic groups at http://www.ccie.net
>>> >
>>> > _______________________________________________________________________
>>> > Subscription information may be found at:
>>> > http://www.groupstudy.com/list/CCIELab.html
>>>
>>>
>>> Blogs and organic groups at http://www.ccie.net
>>>
>>> _______________________________________________________________________
>>> Subscription information may be found at:
>>> http://www.groupstudy.com/list/CCIELab.html
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>
>>
>> --
>> Narbik Kocharians
>> CCSI#30832, CCIE# 12410 (R&S, SP, Security)
>> www.MicronicsTraining
>> www.Net-Workbooks.com <http://www.net-workbooks.com/>
>> Sr. Technical Instructor
>>
>
>
>
> --
> Only two things are infinite, the universe and human stupidity, and I'm
> not sure about the former.
>
-- Narbik Kocharians CCSI#30832, CCIE# 12410 (R&S, SP, Security) www.MicronicsTraining www.Net-Workbooks.com Sr. Technical InstructorBlogs and organic groups at http://www.ccie.net
This archive was generated by hypermail 2.1.4 : Sat Nov 01 2008 - 15:35:22 ARST