After a Long break iam finally back in the cisco world...., basically iam focusing on Vlan hopping attacks.
Question : Why does an access port even accept tagged packets? vlan is a switch mechanism, then why does it even accept it from a host
Vlan hopping attacks can be done by one of the two ways:
1. Using DTP to form a illegal trunk and wham! you can see all the vlans and can technically HOP on which ever u like. Ok thats clear to me.
2. Double Tagging the frame with inner tag vlan of the victim and outter tag of your own vlan...if that vlan also happens to be the native vlan then it will surely go across the trunk bcz the poor switch will think its a frame that is in the native vlan and should be sent across the trunk untagged. so the secret inner vlan makes its way across the trunk being undetected like a ninja :D dont know where that came from.
In a nutshell
I still dont get why does the access port even accept the VLAN tag from the Hardcored access port
An access port is a member of one VLAN only.
Double tagging exploits the native VLAN...
Lets say you have a node on VLAN 2, and the attacker is sitting on the native VLAN, i.e. 1, a specially formulated packet could be created that would tag the former VLAN. When it leaves the first switch the first tag is removed (as it's won't be tagged, by default), thus when it reaches the second switch it will forward it to the said VLAN.
Thank you for the response Cmartyn BUT your describing the attack to me and thats not my question
My Question is why does an access port accept a TAGGED packet in the first place? i say that because VLAN is a Switch function and the host doesnt even know about it....
Why does a Switch accept Tagged packets from a host??? Thats the question
as I was told
if port configured as
switchport mode access
switchport access vlan 100
so this port is access port and it will not accept a TAGGED packet
if port configured as
switchport access vlan 100
so this port is access port and can be switched to trunk mode by dtp and it will accept a TAGGED packet
This will mitigate 'VLAN hopping', not 'double tagging'.
Like I say, it works by exploiting the native VLAN, when the attackers specially crafted packet is sent, the first tag is removed when leaving the first switch, then, when the packet arrives at the second switch it will forward it to the specified VLAN. Essentially the packet is received as if it had legitimately been sent.
Make sure you specifiy the port as switchport mode access then you would see the difference.
Any port by default will be in dynamic desirable mode or dynamic auto based on the different hardware models.
In any case it would try to become a trunk if the other end desires to become a trunk.
In your case you have not specified that your port will be access.
To make the port an access port you need to give the command “switch port mode access”
So two things here:
1. Switchport mode access---- makes the switcport to behave like an access port.
2. Switchport access vlan X---- makes the switch port part of vlan X
The first command is very important. The second command is not required. Even if there is no command it will default to default vlan 1.
Switch#sh int trunk
>.No output as the ports doesnt have any config.
I will configure the trunk port only on Sw1 ports.
switchport trunk encapsulation dot1q
switchport mode trunk allowed vlan 1,6,100
interface FastEthernet0/1>>>> no config on this port.
#sh int tr
Port Mode Encapsulation Status Native vlan
Fa0/1 on 802.1q trunking 1
Port Vlans allowed on trunk
Port Vlans allowed and active in management domain
Port Vlans in spanning tree forwarding state and not pruned
Now only native vlan information would be flowed across the links.
3) Lets take an example now:
I will configure the port to be part of access vlan 6 but I will not mentioned the cmd "switchport mode access"
switchport access vlan 6 >>>>
In this setup, vlan6 of SW2 will be connected to vlan 1 of SW1
When SW2 will forward traffic of vlan 6 on access port, it will be untagged traffic and SW1 will consider this traffic coming on native vlan which is by default vlan1. similarly reverse way. Now SW1 can forward traffic for vlan 1,6, and 100 but for vlan 6 and 100 traffic will be tagged and sw2 will not accept. But for vlan1 , sw1 will pass untagged traffic even on trunk port since this is native vlan for trunk port and sw2 will forward it further on vlan 6.
Sometime this would end up in vlan leaking as well.
Thank you for all the responses
The answer is that THEORETICALLY this attack is implemented on ACCESS ports and SOME switches do accept tagged packets on ACCESS PORTS! Yes i do mean ACCESS PORTS .. NOT Trunk Ports! and they just go ahead and remove the tag and forward the packet on! wow! but the recent CISCO switches DROP these kind of packets but some earlier switches do used to pass them....its hard to tell which one does them with so many vendors around..This attack can be crafted using a tool called Scapy.
So to be on the safe side use a tagged native vlan option and always put unused ports in the native VLAN.....
We need to be sure of configuring the Trunk ports to make sure which vlans are to be allowed over it.
By default on the Switch all ports would belong to native vlan which is vlan 1.
And while configuring the Native vlan make sure to have the same vlans in Native at both the ends to avoid vlan leaking.
***please do not forget to rate all usefull psts.
You mean to manually allow specific VLANS
That's always a very Positive & essential approach to manually allow VLANS
and to avoid these attacks we do have to change the specific NATIVE vlan to a vlan other than vlan 1
and also put unsued ports in that native vlan...
Yes that is what I meant.
NOTE: Native vlans which ever you have configured needs to be same at the other end to avoid any vlan leaking.