Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Double tagging through access ports. Why?

Hello.....

After a Long break iam finally back in the cisco world...., basically iam focusing on Vlan hopping attacks.

Question : Why does an access port even accept tagged packets? vlan is a switch mechanism, then why does it even accept it from a host 

Vlan hopping attacks can be done by one of the two ways: 

1. Using DTP to form a illegal trunk and wham! you can see all the vlans and can technically HOP on which ever u like. Ok thats clear to me.

2. Double Tagging the frame with inner tag vlan of the victim and outter tag of your  own vlan...if that vlan also happens to be the native vlan then it will surely go across the trunk bcz the poor switch will think its a frame that is in the native vlan and should be sent across the trunk untagged. so the secret inner vlan makes its way across the trunk being undetected like a ninja :D dont know where that came from.

 

In a nutshell

I still dont get why does the access port even accept the VLAN tag from the Hardcored access port

  • LAN Switching and Routing
9 REPLIES
New Member

An access port is a member of

An access port is a member of one VLAN only.

Double tagging exploits the native VLAN...

Lets say you have a node on VLAN 2, and the attacker is sitting on the native VLAN, i.e. 1, a specially formulated packet could be created that would tag the former VLAN. When it leaves the first switch the first tag is removed (as it's won't be tagged, by default), thus when it reaches the second switch it will forward it to the said VLAN.

Martin

New Member

Thank you for the response

Thank you for the response Cmartyn BUT your describing the attack to me and thats not my question

 

My Question is why does an access port accept a TAGGED packet in the first place? i say that because VLAN is a Switch function and the host doesnt even know about it....

 

Why does a Switch accept Tagged packets from a host??? Thats the question

as I was toldif port

as I was told

if port configured as

switchport mode access

switchport access vlan 100

so this port is access port and it will not accept a TAGGED packet

 

 

if port configured as

switchport access vlan 100

so this port is access port and can be switched to trunk mode by dtp and it will  accept a TAGGED packet

New Member

This will mitigate 'VLAN

This will mitigate 'VLAN hopping', not 'double tagging'.

Like I say, it works by exploiting the native VLAN, when the attackers specially crafted packet is sent, the first tag is removed when leaving the first switch, then, when the packet arrives at the second switch it will forward it to the specified VLAN. Essentially the packet is received as if it had legitimately been sent.

Martin

Cisco Employee

Hi,Any port by default will

Make sure you specifiy the port as switchport mode access then you would see the difference.

 

Any port by default will be in dynamic desirable mode or dynamic auto based on the different hardware models.

In any case it would try to become a trunk if the other end desires to become a trunk.

In your case you have not specified that your port will be access. 

To make the port an access port you need to give the command “switch port mode access”


So two things here:

1. Switchport mode access---- makes the switcport to behave like an access port.

2. Switchport access vlan X---- makes the switch port part of vlan X

 

The first command is very important. The second command is not required. Even if there is no command it will default to default vlan 1.

 

Example;

Sw1----F0/1-----F0/1---SW2

!
interface FastEthernet0/1
!

Switch#sh int trunk
>.No output as the ports doesnt have any config.
Switch#


2)
Sw1----F0/1-----F0/1---SW2
I will configure the trunk port only on Sw1 ports.

SW1:
interface FastEthernet0/1
 switchport trunk encapsulation dot1q
 switchport mode trunk allowed vlan 1,6,100
!

SW2:
!
interface FastEthernet0/1>>>> no config on this port.
!

Result:
========

Switch2

#sh int tr
Port        Mode         Encapsulation  Status        Native vlan
Fa0/1       on           802.1q         trunking      1

Port        Vlans allowed on trunk
Fa0/1       1-1005

Port        Vlans allowed and active in management domain
Fa0/1       1

Port        Vlans in spanning tree forwarding state and not pruned
Fa0/1       1

 

2)

Now only native vlan information would be flowed across the links.

 

3) Lets take an example now:

I will configure the port to be part of access vlan 6 but I will not mentioned the cmd "switchport mode access"

SW2:-

interface f0/1
 switchport
 switchport access vlan 6 >>>>

In this setup, vlan6 of SW2 will be connected to vlan 1 of SW1

 When SW2 will forward traffic of vlan 6 on access port, it will be untagged traffic and SW1 will consider this traffic coming on native vlan which is by default vlan1. similarly reverse way. Now SW1 can forward traffic for vlan 1,6, and 100 but for vlan 6 and 100 traffic will be tagged and sw2 will not accept. But for vlan1 , sw1 will pass untagged traffic even on trunk port since this is native vlan for trunk port and sw2 will forward it further on vlan 6.

Sometime this would end up in vlan leaking as well.

HTH

Inayath

 

New Member

HiThank you for all the

Hi

Thank you for all the responses 

The answer is that THEORETICALLY this attack is implemented on ACCESS ports and SOME switches do accept tagged packets on ACCESS PORTS! Yes i do mean ACCESS PORTS .. NOT Trunk Ports!   and they just go ahead and remove the tag and forward the packet on! wow! but the recent CISCO switches DROP these kind of packets but some earlier switches do used to pass them....its hard to tell which one does them with so many vendors around..This attack can be crafted using a tool called Scapy.

So to be on the safe side use a tagged native vlan option and always put unused ports in the native VLAN.....

Cisco Employee

We need to be sure of

We need to be sure of configuring the Trunk ports to make sure which vlans are to be allowed over it.

 

By default on the Switch all ports would belong to native vlan which is vlan 1.

 

And while configuring the Native vlan make sure to have the same vlans in Native at both the ends to avoid vlan leaking.

 

HTH

Regards

Inayath

***please do not forget to rate all usefull psts.

New Member

You mean to manually allow

You mean to manually allow specific VLANS

That's always a very Positive & essential approach to manually allow VLANS

and to avoid these attacks we do have to change the specific NATIVE vlan to a vlan other than vlan 1

and also put unsued ports in that native vlan...

Cisco Employee

Yes that is what I meant.NOTE

Yes that is what I meant.

NOTE: Native vlans which ever you have configured needs to be same at the other end to avoid any vlan leaking.

 

HTH

 

1144
Views
0
Helpful
9
Replies