Vlan Hopping attack

Similar Messages

• VLAN Hopping on Native VLAN

  Hi,
  Is it possible to send tagged frames on a switched port which is configured as access with the VLAN ID equal to the native VLAN to do VLAN Hopping ???
  What are the best practices to avoid VLAN Hopping ????

  Hello,
  I think what you describe is a doubel encapsulated VLAN hopping attack.
  The document below talks about preventing this and other VLAN hopping attacks:
  Layer 2 -- The Weakest Link
  Security Considerations at the Data Link Layer
  http://www.cisco.com/en/US/about/ac123/ac114/ac173/ac222/about_cisco_packet_feature09186a0080142deb.html
  Hacking Layer 2: Fun with Ethernet Switches
  http://www.blackhat.com/presentations/bh-usa-02/bh-us-02-convery-switches.pdf
  Regards,
  GP

• Vlan hopping issue btw 2950 (Access) & Cat 6K (Distribution)

  Cat 6K is the Distribution Switch & 2950 is the Access Switch
  Cat 6K int Gig 8/16 --- 2950 Fa 0/1
  Cat 6K's Gig 8/16 is configured as Access port for Vlan 212 (10.106.167.0/24)
  2950 has all its ports in Vlan 1. So, all frames from 2950 is sent untagged to Cat 6K which then tags them as Vlan 212. [Don't ask me why, but this is how they do it in our labs]
  The problem here is, hosts configured in one other Vlan i.e. Vlan 244 (10.106.238.0/24) when connected to the 2950 Access Switch, can ping its Gateway 10.106.238.1.
  Can someone explain why/how this is happening?

  Hi @rmysored,
  The fact that all frames from 2950 are sent untagged to Cat 6K and then Cat 6K tags them as VLAN 212 is because the port Gi8/16 is an access port. Take the following example (Please, see the attached figure first):
   - I have Sw1, Sw2 and PC1
   - Sw1 and Sw2 are connected via a trunk port (passing all the VLANs by default)
   - Sw2 is connecting PC1 via an access port in VLAN 10
  When PC1 is sending frames to Sw2 it sends it untagged because PCs don't recognize tags and tipically they don't know in what VLAN they are
  But when Sw2 is sending those frames (from PC1) to Sw1, Sw2 tags those frames as part of VLAN 10 because Sw2 is passing more VLANs to Sw1 via the trunk link and it has to recognize where the frames belongs to when they return back
  In your case, Cat 6K is tagging the frames coming from the 2950 as part of VLAN 212 because its port facing the 2950 (an access port) is configured as part of that VLAN.
  In the other hand, can you share the configurations of the Cat6K and 2950 for deeper investigations?
  Hope to see your answers.
  Rgrds,
  Martin, IT Specialist

• Trunk Native VLAN

  Don't configure a native VLAN unless you have to. You're increasing you attack surface with the potential of VLAN hopping (Dot1q hopping some call it).
  http://packetlife.net/blog/2010/feb/22/experimenting-vlan-hopping/
  https://en.wikipedia.org/wiki/VLAN_hopping
  Edit:Spelling

  Hello,
  I'm trying to understand better native vlan trunking. Maybe someone can please help explain? I understand trunking and vlans and I know that on the trunked port I can allow whatever vlans I want to and I know that the native vlan carries non tagged frames.
  So for example, if I have say 3 vlans and a native vlan
  vlan 10, vlan 20, vlan 30 and I have the command on the trunked port "switchport trunk allowed vlan 10,20,30"
  so all those vlans will pass on the trunk correct? And native vlan 1 will pass all the telnet, cdp, traffic etc, correct?
  Also how do I change the native vlan?
  Thanks.
  This topic first appeared in the Spiceworks Community

• Manipulating allowed VLAN list on trunks

  I am in the process of restricting some of my VLANs so that they can be accessed only on the switches that actually need them. I have a VTP domain, so I am doing it by manipulating the "allowed" lists on the trunks. I have a mixed environment of IOS 4500, CatOS 4000, CatOS 5500, and IOS 29xx.
  So, I have a number of questions and observations:
  1. There are some special default VLANs, 1002-1005, which are designated fddi-default, token-ring-default etc. In an Ethernet-only environment, is there any harm if I clear these from all the trunks?
  2. I do not use the extended VLAN range 1025-4095. Is there any harm if I clear these from all trunks?
  3. Just out of academic interest, what ever happened to VLANs 1006 to 1024? They do not appear in any of the default "allowed" lists. Are they reserved for something?
  4. Suppose my native VLAN for my trunks is not 1, let us say 99. And my management is on yet another VLAN, say 98. What happens if I try and clear the native VLAN 99 from the trunks? (Yes, I know I should try this in a lab, but does anyone know the answer to save me the effort of setting it up?)
  5. Suppose I have a VLAN, say 50, that is only needed in two switches, so I clear it from all trunks except the one between those two switches. But all the switches know about it cos it is in the VTP list. I notice that in the IOS switches, the PVST+ instance for that VLAN get shut down. In the CatOS switches, the STP seems to continue to run, but the root bridge is designated as 00-00-00-00-00-00. Are these two behaviors consistent, i.e. what is actually going on in the CatOS case? (AAMOF, in the IOS switches, it is enough that none of the ports has an "up" presence in the VLAN, and the PVST+ instance shuts down, even if there are "down" ports configured to use it.
  6. Is there any way to set a global default "allowed" list in a switch, so that any new trunks only allow those VLANs, regardless of what is in the VTP list? (That is, apart from setting it to "transparent", which have other unwanted side effects such as not being aware of the creation of new VLANs.)
  That's a lot of questions. The new edition of the Clarke/Hamilton book is well overdue!
  Kevin Dorrell
  Luxembourg

  Glen,
  Thanks for the responses.
  1. I shall clear them out immediately.
  2. I shall clear them out immediately.
  3. It's a mystery. Anyone?
  4. It was 99 because that VLAN was created specifically to accommodate the trunks. Unfortunately, in that particular network, VLAN 1 was still in use as an access VLAN. It is recommended not to have any access ports on the VLAN that is used as the native on the trunks, to prevent VLAN-hopping. Most NetAdmins do this by putting all the access ports anywhere but VLAN 1, and keeping VLAN 1 for trunk natives and/or management. This network did it the other way round, by shifting the native of the trunks off onto an unused VLAN. But I don't know what would happen if I cleared the native VLAN off the trunk.
  5. I think here we need to distinguish between VTP and STP, and between allowed lists and pruning. I am not pruning here, I am actually clearing the VLANs from the trunks. In the case of pruning, the VTP declines to send the broadcasts down the trunk if they are not useful at the access layer switch, but the Spanning Tree topology is not affected. In the case of clearing, the Spanning Tree topology of the VLAN is actually modified, as if the trunk did not exist for that VLAN. OTOH, the VTP VLAN list is propagated to all switches, regardless of whether they have any presence on each VLAN. So according to the VTP server and all clients, there is a load of VLANs active in the domain. But if you have an allowed list on all the trunks, it could well be that the access switch knows about a VLAN, but does not have any presence on it. That is when the IOS shuts down the PVST+ STP for that VLAN, and a CatOS switch registers the root bridge as 00-00-00-00-00-00. As opposed to the case where the VTP domain does not have a VLAN in its database, so the CatOS has no STP instance for it.
  6. Anyone else?
  Thanks for the responses.
  Kevin Dorrell
  Luxembourg

• SG300's vlan isolation except for shared printers

  Hello,
  We have 2 x SG300-20's and 1 x SG300-10.
  We want to have a few vlans to isolate different departments from each other while still providing access to the broadband uplink as well as shared printers.
  The setup we would like would be something like this:
  1 x SG300-20 for VLAN 2
  1 x SG300-20 for VLAN 3
  1 x SG300-10 for VLAN 4-6
  Shared printer(s) on VLAN 6 which should be accessible from all other vlans
  We also have a RV180 router sitting in front of the switches which should provide broadband uplink access and trunking for the switches.
  We need to forbid vlan 2-5 from communicating with each other.
  In order to simplify and test, we are using the SG300-10 switch only in L3 mode at the moment with 3 computers to simulate 3 vlans but it seems to turn on inter-vlan routing on every port and vlan automatically when you set the switch in L3 mode and in L2 mode, vlan isolation works but we need to use the router to serve up dhcp and inter-vlan routing on a single vlan, which after over 6 hours of having the cisco tech logged into our system to try to set it up he gave up and said he didn't understand why it was not working...
  Is there a way to use this setup, or something simillar?
  We have contacted cisco support a second time and have had a tech test our switch config file for a week now and still no progress on this and we need to have this working asap.
  We were told that this was possible with our equipment but it seems there are serious limitations with this gear that even the cisco techs don't know about...
  We can provide the switch config upon request.
  Thanks!

  Hi Tom,
  I replaced the cisco RV180 with a netgear FVS318N and so far, in the lab anyways, I've gotten the setup the following setup to work:
  SG300-10 in layer 3 mode:
  Port 1 - Admin Port - Vlan 1 pvid
  Port 2 - general - VLAN 2 pvid - tagged vlan 4 - forbid vlan 3 - dhcp 192.168.2.0/24 (iface 192.168.2.203)
  Port 3 - general - VLAN 3 pvid - tagged vlan 4 - forbid vlan 2 - dhcp 192.168.3.0/24 (iface 192.168.3.203)
  Port 4 - general - VLAN 4 - Tagged vlan 2 - Tagged vlan 3 - dhcp 192.168.4.0/24 (iface 192.168.4.203)
  Port 10 - Trunk - pvid vlan 1 - Tagged 2-3-4 - (iface 192.168.254.203)
  Routes:
  Added default gateway to vlan 1 iface on router
  Added 192.168.1.0/24 gateway vlan 1 iface router ip (lab's upstream router is on that block which doesn't have an iface on the switch)
  IPV4 ACL:
  Port 2 - priority 500 - Deny any to vlan 3 subnet
              priority 1000 - permit any to any
  Port 3 - priority 500 - Deny any to vlan 2 subnet
              priority 1000 - permit any to any
  On the netgear router, vanilla config with the 4 vlans added to it and inter-vlan routing enabled with switch port 10 plugged into router port 7 for uplink.
  So far it seems to be working correctly, still need to test vlan hopping and static ip's and routing to simulate mis-configured or malicious computers plugged into the two main vlans but replacing the router seems to have done the job.
  Perhaps further testing would of resulted in a working setup with the RV180 but after so many hours wasted on this setup by us and by the cisco tech, it was time to make a move.
  What's your opinion on this setup Tom?
  I'm so tired I'm getting cross-eyed and might be forgetting something important.
  Thanks!

• H-REAP Native VLAN

  In reading the design guides I see that I have to use the Native vlan to send all the CAPWAP traffic for the AP in H-REAP mode. I normally place an unused VLAN as the native vlan to prevent VLAN hopping. How can I do this with the H-REAP AP?

  I'm not quite following your concern...
  An AP, Local or HREAP mode, is only able to communicate via its Native Vlan.  Whatever you define on the switchport as the native vlan, that is the vlan your AP will technically reside in.   Any other vlans you trunk in will be used for client access if configured (and hreap).
  So although I don't think I'm following exactly what you're asking, I think I'm answering it
  Bottom line, whatever you define as the "Native Vlan" on the switchport, that is the vlan of your AP.... no way around this as far as I know.

• Vlan 1 Pruning eligibility C3750-V2

  I am looking for clarification of vlan pruning; I have seen documentation that leads me to understand that vlans 1,1002-1005 are not eligible for vlan pruning as it carries management traffic such as CDP, so even if a switch has no active vlan 1 ports and the trunk native vlan has been changed vlan 1 will still not be pruned from the trunk.
  This is an offshoot from a problem I raised in the following discussion in which vlan 1 is being pruned from trunks connected to a C3750-V2 but not when connected to a C3750:
  https://supportforums.cisco.com/discussion/12272906/spanning-tree-root-bridge-dispute-c3750-v2
  IOS version: 15-0-2.SE5

  That is correct. However on the old 3750 stacks there are no active vlan 1 ports and the native vlan has been changed and vlan remains in a forwarding state. I thought the default vlan always stayed in a forwarding state, part of the reason vlan 1 cannot be deleted, to handle management traffic such as cdp (cdp is working across the trunk). I guess that makes it impractical to ever change the native vlan and a problem if you have security people who still believe vlan hopping is more than a theoretical threat. (As an after thought turning off VTP pruning also fixes the problem)
  Thanks for responding

• VLANs - Default, Native and Management

  Okay, please help in understanding the concept of VLANs by confirming whether the following is true or not, and based on that please help me to clear my doubts.
  Default vlan - Always Vlan 1 on a switch and cannot be changed. It's purpose is to account the interfaces/ports which are not assigned with a vlan explicitly.
  Native vlan - By default, it is also vlan 1 in a switch, but can be changed. Frames belonging to the native vlan are sent across the trunk link untagged. It's sole purpose is to provide back ward compatibility to the devices that doesn't understand frame tagging, as per 802.1q.
  Management vlan- for managing switches.
  Now my doubts ::
  1. Can anyone please draw and explain a scenario in which NATIVe vlan comes into use, so that I can understand its purpose completely.
  2. Management vlan- how they are created/assigned and is used ?

  Hello
  From a security perspective its best practice to not use vlan1 whatsoever as it well documented that all cisco switches default to this vlan.
  Also it is best to define a native vlan that will be not used.
  This is due to something I think is called ( double tagging or vlan hopping) - and it when a hacker knowing that vlan 1 is untagged and the default vlan  can apply an outer tag to a encapsulated packet and send this into your network, then when this outer tag is stripped away the native vlan1 is seen by the switch which is excepted into your network.and sent on its merry way toward its destination.
  So to negate this threat it is best to either tagged ALL vlans or define a unused native vlan  and a tagged management vlan and not allow the native vlan to cross any trunks
  example:
  vlan 1 = shutdown
  vlan 10 = management
  vlan 11-49 - user vlans
  vlan 50 = native
  conf t
  vlan 2-50
  exit
  int vlan 1
  shut
  int vlan 10
  ip address x.x.x.x y.y.y.y.y
  interface gig x/x
  switchport trunk encapsulation dot1q
  switchport trunk native vlan 50
  switchport trunk allowed vlan 2-49
  res
  Paul

• Inside vlan

  Hello everybody!
  I have a small discussion with my colleagues about operation with Access interfaces on a Switch.
  I have an opinion that when you created a vlan 10, you've gotten STP instance and CAM per vlan.
  When a frame from a host comes on one Access Port Vlan 10, on income to vlan NO adding any 802.1Q tag.
  If a frame goes to other Access Port inside of Vlan 10 it will go out also without any tag.
  During such operations inside local vlan no tagging at all.
  802.1Q tag will be added on non-native vlan on out of a trunk port 802.1Q and on another side the tag will be removed and the frame goes inside vlan 10 and to the destination port.
  I suppose inside vlan we don't have any 802.1q or ISL, we have gotten this situation only on a trunk.
  Am I right?  Thank you in advance for help!
  P.S. we are not talking about incoming frame on an access port with a tag/double tagging/vlan hopping...
  Best regards,
  Dmitry

  I can't agree more ;)  Thanks a lot!
  I have found the explanation about it inside of a book of Todd Lammle.  It is the final argument ;)
  "An access port belongs to and carries the traffic of only one VLAN. Traffic is
  both received and sent in native formats with no VLAN information (tagging) whatsoever.
  Anything arriving on an access port is simply assumed to belong to the VLAN assigned to the port. Because an access port doesn’t look at the source address, tagged traffic—a frame with added VLAN information—can be correctly forwarded and received only on trunk ports."
  Thank you very much!
  Dmitry

• Connecting core switch to the internet ?

  Hi,
  We have 2 6506's connected through an ether-channel trunk.
  On these 6506's we have configured a vlan, vlan interface and 2 access ports for 2 ASA's.
  These ASA's run in failover mode but only one ASA is physically connected at the moment.
  We want to be more resilient so our provider has provided us with a redundant setup of routers for our internet connection.
  However, for this construction they would need a layer 2 connection on our side to have HSRP running.
  There are 2 options in my opinion :
  - Buy a set of switches to facilitate the layer-2 connection between te routers and to connect the outside of the ASA's.
  - Instead of buying 2 new switches, create a new unrouted vlan on our core 6506's and use access-ports for the routers and the ASA's.
  But how safe is it to connected the core switch with an unrouted vlan to the internet router ?
  In terms of vlan hopping or other possible attacks ?
  I think i have to disable DTP, Spanning-Tree, CDP and maybe a lot more ?

  I am as far as applying this to secure the port :
  switchport
  switchport mode access
  switchport access vlan X
  switchport nonegotiate
  spanning-tree bpdufilter enable
  spanning-tree portfast edge
  switchport port-security
  switchport port-security maximum 3
  switchport port-security violation restrict
  no cdp enable
  Any additions to this ?

• Load balancing of PIX firewalls with multiple DMZs

  I need a suggestion about how to balance the traffic through two PIX firewalls, with 4 interfaces (IN,OUT,DMZ1,DMZ2)
  In all the documentation related to the subject, I see always the firewalls with only two interfaces:
  http://www.cisco.com/warp/customer/117/fw_load_balancing.html
  http://www.cisco.com/univercd/cc/td/doc/product/webscale/css/advcfggd/firewall.htm
  What if I need to balance on more than 2 interfaces?
  Do I have to add more content switches, one for each interface ?
  Or could I use VLANs inside the same content switches, and assign the ports to DMZs appropriately ?
  Thank you in advance for any help.

  We just had some internal discussions about that at my work, and the suggestion from a local cisco specialist was, if you want to levarage load balacing over multiple DMZ's, then you get the CSS blades for the 65xx's. Right now we have mulriple CSS and LD failover pairs (One pair for each DMZ) and it is starting to become expensive, while we aren't really utilizing the full capacity of them. If you get the Blades, they have Gigabit traces to the backplane of the switch, and you can use them for as many poers as you have on the 6500.
  Then again, it depends on if physical security is essential to you, and you are concerned with L2 attacks (VLAN Hopping, etc) There are tradeoffs and benefits when using a consildated infrastructure.

• Logical vs. Physical Subnetting

  Hi All,
  Networks that isolate traffic from other networks using separate mediums are more secure than one that isolates via VLAN correct? So having to networks A and B separate with separate routers, switches, and cabling is more secure than creating networks using VLANs correct?

  Kelly
  Short answer is yes, physical separation of devices will generally always be more secure.
  Two main issues with vlans are
  1) a misconfiguration is much easier as it all to do with just reallocating ports into vlans on the same chassis. Make a mistake and you could just have moved a server into the wrong subnet.
  2) vlan hopping and other attacks. See attached link for vlan security white paper
  http://www.cisco.com/en/US/products/hw/switches/ps708/products_white_paper09186a008013159f.shtml
  To be honest i have always been quite comfortable using vlan segregation with optionally firewalls etc. for internal data centre use etc.. but i always feel more comfortable with physical separation on Internet facing infrastructure.
  Jon

• Generate Active load report for Cisco IP Phones

  Hello All,
  We have a cluster contains around 24,000 IP phones, and we have a migration very close so we want to get the report of the phones whichever running with the old phone firmware.
  Our current active load should be : SCCP42.9-3-1SR2-1S
  So please let me know, is there any way me to run a report and get the details of the active load for all the phones ?
  Thanks.

  I believe the solutions below will address your concerns. 
      The PC that is daisy chained to the IP phone could capture the mac adresses by the attacker reading it physically on the IP phone and then set the pc network port to that mac address.The attacker could then configure its own verified MAC adress on a loopback interface, thus the PC would be able to access both its Data VLAN and the former IP Phones Voice VLAN.
      And since the link between the Switch and the IP Phone acts like a trunk link VLAN hopping can occur.
  ********To prevent the end user from reading the mac address on the bottom of the phone, you could physically remove the mac label.  To prevent the end user from seeing the mac via the phone display, you would disable the Setting access setting the in the phone configuration in call manager, which would prohibit access to the settings button on the phone.
      Another attack vector would be a Cisco switch configured for CDP and configured with the same MAC address as either the IP Phone or the PC. The attacker could then gain ciritical information about the state of the Corporate switch. In order for this to work the switch would need to have STP disabled so no BPDU would get broadcasted.
  ***********In this scenario, you could leave stp enabled, but enable bpdu guard on the port, then if it receives any bpdus, it could place the port in err-disable state.*************
      The final attack I can think of is that the PC launches a Double VLAN tagging assault by tagging its packet as the Voice VLAN and then encapsulating the desired attack VLAN inside than Voice VLAN tag.
  *************To prevent double vlan tagging by the pc, you would disable the pc voice vlan for the phones within the call manager.***********
  Hope this helps. 

• Port Access mode allow tagged frames ?

  Hello,
  From my understanding Cisco Catalyst switch port access mode only allow untagged frames to be received and proceeded. Tagged frames received on access mode port should be discarded.
  But I have found in BCMSN course Student Guide following phrase
  If a non-802.1Q-enabled device or an access port receives an 802.1Q frame, the tag data is
  ignored, and the packet is switched at Layer 2 as a standard Ethernet frame.
  Is in this case term access related to non Cisco equipment ? Or where are some Cisco Catalysts HW/SW combinations in which access mode port accept also tagged frames ?
  With Best Regards
  Tomas

  Hello Tomas,
  802.1Q tagged frames with a vlan-id = access vlan of the port are accepted on Cisco Catalysts.
  for Sure it was in 2004-2005 when I did L2 security tests and read about the following:
  This is the basis for one of the L2 security attack that is called vlan hopping:
  if you send a frame with two 802.1Q tags and:
  a) the external tag vlan-id = port access vlan
  b) the same vlan is used as native vlan in a inter-switch trunk
  the attacker can send a frame from vlan X to vlan y bypassing L3 security and routing devices.
  the recommendation is to use as native vlan a dedicated vlan for all trunks that is never used on access ports.
  Hope to help
  Giuseppe