VLAN Hopping on Native VLAN

Hi,
Is it possible to send tagged frames on a switched port which is configured as access with the VLAN ID equal to the native VLAN to do VLAN Hopping ???
What are the best practices to avoid VLAN Hopping ????

Hello,
I think what you describe is a doubel encapsulated VLAN hopping attack.
The document below talks about preventing this and other VLAN hopping attacks:
Layer 2 -- The Weakest Link
Security Considerations at the Data Link Layer
http://www.cisco.com/en/US/about/ac123/ac114/ac173/ac222/about_cisco_packet_feature09186a0080142deb.html
Hacking Layer 2: Fun with Ethernet Switches
http://www.blackhat.com/presentations/bh-usa-02/bh-us-02-convery-switches.pdf
Regards,
GP

Similar Messages

SG500 auto voice VLAN question about native VLAN

I have been installing SG300 and SG500 switches and using the auto voice vlan feature by simply changing voice vlan to 100 and using vlan 1 for default and data. I normally put the switch in L3 mode and make an access porteach for my IP PBX (vlan 100) and one to connect to existing data network (vlan 1). Then I make a static route in customers default gateway to route back to vlan 100 and everything works nicely for most installs.
On my last install I decided to try to change the default vlan 1 to vlan 10 and go with 10 for data and 100 for voice. The problem I ran into was that the auto generated config on my phone switchports still use vlan 1 as native vlan. I am trying to find a way to still use auto vlan and get the desired native vlan without having to make manual config changes.
Should this be possible?
Thanks in advance.

Hi Brandon, you need to modify the macro from native vlan 1 to vlan 10.
Check out this topic how to modify the macro
https://supportforums.cisco.com/thread/2177613
-Tom
Please mark answered for helpful posts

"vlan dot1q tag native" end-to-end QoS switched network

Guys,
Can I use this in my switched network design, (without using 802.1q tunneling as documentation always seems to mention this vlan in a vlan scenario???)
I have native vlans and I want to act upon the 802.1p CoS field from end-to-end in my switched network. If the packet happens to be in a native vlan, I cannot do this.
ie
pc------accessswitch--------distswitch/rtr
between access and distribution, there is a dot1q trunk, and the native vlan is the vlan what the pc is in
Choices.
run this comand vlan dot1q tag native
dont have a native vlan, ie have vlan 1 (default as native) on the dot1q up to the dist
or act only upon L3 dscp
Can anyone help?
Many thx,
Ken

Hi there,
Many thx for that. This I understand and the question was really, if I wanted to use a dot1p tag in the dot1q header, but the vlan that the PC was on was the same vlan as the native vlan on the dot1q trunk, what is the best option to ensure I can action qos.
Just trust dscp on the trunks always
tag the native,
or just dont run a native vlan
I hope this makes sense. Sorry if I was a little confusing b4.
Thx
Ken

H-REAP Native VLAN

In reading the design guides I see that I have to use the Native vlan to send all the CAPWAP traffic for the AP in H-REAP mode. I normally place an unused VLAN as the native vlan to prevent VLAN hopping. How can I do this with the H-REAP AP?

I'm not quite following your concern...
An AP, Local or HREAP mode, is only able to communicate via its Native Vlan. Whatever you define on the switchport as the native vlan, that is the vlan your AP will technically reside in. Any other vlans you trunk in will be used for client access if configured (and hreap).
So although I don't think I'm following exactly what you're asking, I think I'm answering it
Bottom line, whatever you define as the "Native Vlan" on the switchport, that is the vlan of your AP.... no way around this as far as I know.

Trunk Native VLAN

Don't configure a native VLAN unless you have to. You're increasing you attack surface with the potential of VLAN hopping (Dot1q hopping some call it).
http://packetlife.net/blog/2010/feb/22/experimenting-vlan-hopping/
https://en.wikipedia.org/wiki/VLAN_hopping
Edit:Spelling

Hello,
I'm trying to understand better native vlan trunking. Maybe someone can please help explain? I understand trunking and vlans and I know that on the trunked port I can allow whatever vlans I want to and I know that the native vlan carries non tagged frames.
So for example, if I have say 3 vlans and a native vlan
vlan 10, vlan 20, vlan 30 and I have the command on the trunked port "switchport trunk allowed vlan 10,20,30"
so all those vlans will pass on the trunk correct? And native vlan 1 will pass all the telnet, cdp, traffic etc, correct?
Also how do I change the native vlan?
Thanks.
This topic first appeared in the Spiceworks Community

WLC 7.4.110.0 where native vlan and SSID vlan is the same vlan

Hi
We have app. 1500 accespoints in app. 500 locations. WLCs are WiSM2s running 7.4.110.0. The AP are 1131LAPs.In a FlexConnect configuration we use vlan 410 as native vlan and the ssid (LAN) also in vlan 410. This works fine, never had any problems with this.
Now we have started use 1602 APs and the client connection on ssid LAN becomes unstable.
If we configure an different ssid, using vlan 420 and native vlan as 410, everything works fine.
I can't find any recommandations regarding the use of native vlan/ssid vlan
Is there anyone experiencing similar problems? Is this a problem with my configuration or is it a bug wittin 1602 accespoints?
Regards,
Lars Christian

It is the recomended design to put FlexConnect AP mgt into native vlan & user traffic to a tagged vlan.
From the QoS perspective if you want to enforce WLC QoS profile values, you have to tag SSID traffic to a vlan (other than native vlan) & trust CoS on the switch port connected to FlexConnect AP (usually configured as trunk port)
HTH
Rasika
**** Pls rate all useful responses ****

What is AP H-REAP Native Vlan used for?

We have a few APs - CAP3502 and LAP1242s for the most part - whose H-REAP "Native Vlan" doesn't match the switchport's native vlan. It appears that the switchport native vlan is what gets used for the AP for DHCP (it gets an AP IP address from that network). If so, does anyone know what the purpose of specifying the native vlan on the H-REAP config is? I can think of no useful purpose, but if there is one I'd appreciate anyone who could say.
Thanks.
BTW this is on a 5508 controller running 7.0.240.0 code.

Thanks Scott - further info: the Vlan Mappings are filled in with the appropriate Vlans, which are separate from the AP native vlan. In this case vlans 202, 203, 204 and 206 are assigned to various SSIDs and the Native Vlan for the AP is set to 201. The switchport is set to trunk all vlans and has native vlan 221, and it is from vlan 221 that the AP get's its own IP.
So on the one hand, if specifying the 'native' vlan were to avoid cases where the wrong vlan was native on the switch (and so, to tell the AP which vlan to use for itself and control traffic), I would expect the AP to have a vlan201 address.
If on the other hand this is merely a 'documentary' setting to say what the 'native vlan' *should* be, then I would expect the AP to have a vlan221 IP, which it does.
Just trying to find out if this setting does anything more than document.

If VLAN 1 is the native VLAN, then does that mean thier can only be one?

If VLAN 1 is native, does that mean when you assign another VLAn to be native, VLAN 1 is no longer native and the other VLAN is? meaning you can only have one?

Let us start by being clear that the concept of native vlan is related to a particular interface doing trunking. If you have two interfaces doing trunking it is quite possible that the first one would have vlan 1 as native and the other one might have vlan 2 as native.
On a particular interface doing trunking it is quite true that there can be only a single native vlan for that trunk.
HTH
Rick

Native vlan

can anybody told me in detail
1) what is tagged traffic
2) what is untagged traffic
Kindly explain me in term of native vlan... funda

Over a dot1q trunk, traffic in VLANs other than Native VLAN is tagged with a 4 byte header which has the following fields
http://www.cisco.com/warp/public/473/741_4.html#topic2
Native VLAN does not have this tag. Newer switches/IOS does have an option to tag native VLAN as well. The above page has additional info which you will find useful.
PS:Rate useful posts

Fabric interconnect and Native Vlan

Hi
I just want to ask a simple question
is there any precautions with native vlan between the Switched infrastructure and the Fabric interconnect ?!
I mean can I use any vlan as a native vlan ex.999 "anything but not 1" ?!

As a security best practice on trunks carrying multiple VLANs you should not allow the native vlan on the line. When you have a single VLAN going to a device, an end node for example, the port should be configured as an access port with a single data VLAN, and potentially a voice vlan if that will be used.
For example, our N5Ks have a trunk to each of our UCS interconnects. We set the native VLAN on the n5k side to 999. 999 is not in the allowed list for the trunk then, so the native VLAN never makes it to the ucs. On the ucs then, any server that can handle VLANs (esxi for example) we send only tagged VLANs -- no VLAN is marked native, thus accomplishing the same thing as we did for the n5k to FI link.
It is recommended to not leave your native VLAN as 1 as best practice. It's less of a concern if the native VLAN isn't in the allowed list, but to avoid mis configuration issues you should set it to another VLAN.

Native Vlan Usage

I have several vlans on 2950 switches. Each vlan is monitered seperatly and the data on the vlans must never mix. Should I move the native vlan off vlan 1 and set it to match the individual vlan numbers? Or maby I just don't understand the function of the native vlan.

The native vlan is the vlan on an 802.1q trunk that isn't tagged with an 802.1q header. And that's all there really is to it.
Generally, most administrators use the same native vlan for the sake of consistency. Some tag the management vlan as the native vlan, while others will set an unused vlan as the native vlan. It's mostly a matter of procedure, policy, and personal preference.
HTH,
Bobby
*Please rate helpful posts.

Native Vlan Effect on the Overall Network Performance

Dear Experts,
I would like to know that did Native Vlan affect the overall Network performance and make the whole network slow and can be cause for all Network devices to be failure or disconnect. I am facing this issue for the network that after apply Vlan dot1q tag native" in global Config the user disconnect from the network and also the devices.
Kindly assist on this issue with the practical scenario and result oriented conclusion.
Further I have following Devices in the Network Catalyst 4500, Nexus 5548, FIC 6248, UCS 5018 and Catalyst 3750.
The issue is this the VLAN 50 which is for UCS is not able to access from the LAN network even we added the VLAN 50 on all the Switches and it propogated to whole network so we make Vlan 50 as Native and added "switchport trunk native vlan 50 on trunks ports from Nexux 5548 to Fabric Interconnect and to Core Switch 4500. After added vlan 50 as native vlan we can access the UCS from LAN.
But after adding native vlan 50 on all trunks the Network Administrator complaining that network is slow and few servers are disconnecting.
here for the information that server vlan is 1.
Waiting for the answer.
Thanks,
JH
Thanks,
JH

Hello.
1. Could you please draw interconnectivity diagram of all the devices?
2. Could you chose any LAN device (on the same switch as UCS) and post here running config of the device that interconnects them?

Native Vlan LWAP to Controller

Hi guys,
I had a LWAP connected to a switch trunk port:
Port Vlans allowed on trunk
Fa1/1 1-4094
LWAP joined the WLC, then I switched it to FlexConnect Mode. I enabled Vlan Support and used Vlan 1 as Native Vlan.
Knowing exactly site's SSID I went to the switch and "secured the config":
interface fa1/1
switchport trunk allowed vlan none
switchport trunk allowed vlan add 5, 10
show interfaces FastEthernet 1/1 switchport
Name: Fa1/1
Switchport: Enabled
Administrative Mode: trunk
Operational Mode: trunk
Administrative Trunking Encapsulation: dot1q
Operational Trunking Encapsulation: dot1q
Negotiation of Trunking: On
Access Mode VLAN: 1 (default)
Trunking Native Mode VLAN: 1 (default)
Administrative Native VLAN tagging: enabled
Trunking VLANs Enabled: 5, 10
Pruning VLANs Enabled: 2-1001
Capture Mode Disabled
Capture VLANs Allowed: ALL
I did this, assuming that LWAP will communicate with the controller on NATIVE Vlan 1, while vlans 5 and 10 had to be mapped/used to the two site's SSIDs. As you probably assume LWAP got disconnected from the controller.
I had to switchport trunk allowed vlan add 1 and finally things got as it were.
Why does native vlan had to be also allowed on the tagged Vlan list?

Florin -
Vlan 1 had to also be allowed because of the command you issued:
switchport trunk allowed vlan none
This command effectively prevents any vlans (tagged or untagged) from passing across the trunk link. Be aware the trunk link will remain in an On state even though you have blocked all vlans from passing through it. So think of the switchport trunk allowed set of commands as a block/allow set of rules that exists independently of the configuration requirements to create a trunk link such as one native vlan being established/encapsulation being set/negotiation being set.
Regards,
Justin
P.S. here is a link that will help explain it in more detail https://supportforums.cisco.com/document/11836/how-define-vlans-allowed-trunk-link

Native vlan query

(CE)--Trunk-port-via.wi-max-device--(PE-Switch)--Trunk port--(PE-Router)
In above scenario suppse CE router is unable to create sub-interface so to communicate with PE router I have used
switchport trunk native vlan 834 and it's working
But when I use
encapsulation dot1Q 834 native on router sub-interface it is not working
##########Working config#################
PE-Switch#
interface FastEthernet1/0/5
switchport trunk encapsulation dot1q
switchport trunk native vlan 834
switchport trunk allowed vlan 503,834
switchport mode trunk
speed 100
duplex full
PE-Router#
interface GigabitEthernet1/0/1.834
bandwidth 128
encapsulation dot1Q 834
ip vrf forwarding ABC
ip address 172.34.63.69 255.255.255.252
end
PE-Router#ping vrf ABC 172.34.63.70
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.34.63.70, timeout is 2 seconds:
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/3/4 ms
##########Non-Working config#################
PE-Switch#
interface FastEthernet1/0/5
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 503,834
switchport mode trunk
speed 100
duplex full
PE-Router#
interface GigabitEthernet1/0/1.834
bandwidth 128
encapsulation dot1Q 834 native
ip vrf forwarding ABC
ip address 172.34.63.69 255.255.255.252
end
PE-Router#ping vrf ABC 172.34.63.70
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.34.63.70, timeout is 2 seconds:
Success rate is 0 percent (0/5)
Thanks & Regards
Mahesh

Hi,
I'm confused with your configuration because the switchport trunk native vlan 834 command is gone in your non-working configuration.
Also is Fas1/0/5 connected to your CE or PE-Router.
Let's say Fas1/0/5 is connected to your CE and 1/0/6 to your PE-Router. A working configuration should be:
PE-Switch#
interface FastEthernet1/0/5
switchport trunk encapsulation dot1q
switchport trunk native vlan 834
switchport trunk allowed vlan 503,834
switchport mode trunk
speed 100
duplex full
interface FastEthernet1/0/6
switchport trunk encapsulation dot1q
switchport trunk native vlan 834
switchport trunk allowed vlan 503,834
switchport mode trunk
speed 100
duplex full
PE-Router#
interface GigabitEthernet1/0/1.834
bandwidth 128
encapsulation dot1Q 834 native
ip vrf forwarding ABC
ip address 172.34.63.69 255.255.255.252
end
Be sure your native VLAN is consistant on all your trunk or you could have traffic leaking between VLAN 1 (default native VLAN) and VLAN 834
HTH
Laurent.

Native VLAN and the "Black Hole"

While reviewing the configuration of a network that I'm supporting, it seems that the original design of the network has the black hole VLAN as the native VLAN. At the least this seems incorrect, and possibly very dangerous, but I'm not exactly sure why or how to articulate that. Can someone confirm or deny this suspicion?
In addition, I had two further questions regarding the practice of using a black hole VLAN:
1. If you have any unused ports, it seems more practical to just admin down these ports instead of creating an unused VLAN. Is there some added advantage to ALSO putting these ports in an unused VLAN (e.g. 999)? If the port was needed, you can simply admin up the port, during which time you could also change any needed VLAN configurations. In other words, you'd have to log into the device and make changes whether you went with the admin down method, the Black Hole VLAN method, or both. So what's the point?
2. Assuming you do use the Black Hole VLAN as an added security method, I feel that including that VLAN in the "switchport trunk allowed vlan" command is counterproductive, but I'm not fully able to articulate why. Can someone help me with this?
Thanks for any information or suggestions that you may have.

Assuming you mean a vlan for unused ports when you refer to a black hole vlan. If so the key things are -
a) that vlan does not have a L3 vlan interface (SVI) for it as there is no need to route it
b) any unused ports are shutdown
if you follow the above then I can't see the danger in using the native vlan but I wouldn't do it regardless of that. I would have a dedicated native vlan and a separate vlan for unused ports.
To my mind there should be no ports allocated to the native vlan (other than trunk ports obviously).
The benefit of using a dedicated vlan for unused ports is -
a) it provides an additional level of security. People make mistakes and having to do multiple things to enable a port requires more attention than simply doing a "no shut" on the interface.
The more attention someone is paying the more likely they will get it right or at least the less likely they will make a mistake.
b) if you don't use an unused vlan you are leaving all the ports in the default vlan which is vlan 1 and this should be avoided as this vlan is overused already eg. switch control plane traffic is sent on this vlan for example and often the switch management interfaces are in this vlan.
As far as allowing the unused vlan on trunk links it is totally unnecessary and in fact you really don't want to do that. The idea of the unused vlan is for non communication so it would make no sense to allow it on trunk links.
In my last place of work we used vlan 998 as the unused vlan and vlan 999 as the native vlan.
Neither had an SVI for it.
If by black hole vlan you meant something else then please clarify.
Jon

VLAN Hopping on Native VLAN

Similar Messages

Maybe you are looking for