Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
857
Views
10
Helpful
4
Replies

vlan cross security issue

Go to solution
wuliting
Level 1
Level 1

‎06-21-2018 07:04 AM - edited ‎03-08-2019 03:26 PM

I saw from a article about the vlan cross.

https://www.pluralsight.com/blog/it-ops/5-big-misconceptions-about-virtual-lans-

''Connecting together two access ports that are in different VLANs. Suppose SW1 has port Ethernet0/1 configured as an access port in VLAN 3, and SW2 has port Ethernet0/2 configured as an access port in VLAN 4. If you connect these two ports together, traffic can cross seamlessly between VLANs 3 and 4.''

This happen to me where I couldn't isolate or separate the traffic for different VLAN.

I don't have any router.

Switch A trunk port connect to tester A that could Tx or Rx packet for different stream of packet.

Switch B trunk port connect to tester B that could Tx or Rx packet for different stream of packet.

in between the switch is access port with VLAN 10 , 20, 30

by Connecting together two access ports that are in different VLANs they can communicate.

I don't understand why. could someone please explain to me?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
STEPAN JANKOVIC
Level 1
Level 1
In response to wuliting

‎06-22-2018 03:36 AM

Hello,

under normal conditions , on L2 switch, traffic from one VLAN can't pass to other VLAN.

On L3 switch, when you create switch virtual interfaces for VLANs, traffic will be routed between VLANs and if you don't want this to happen, simpe way is usage of access-lists.

There are cases how to overcome this normal behavior, but this means to do dirty things with cabling or configuration, or so calld double encapsulation attack.

 

When traffic enters switch via access port in VLAN 10, it is internally marked and it still separated from another VLANs traffic. When this traffic leaves switch via trunk port with VLANs 10, 20, 30, it is encapsulated by 802.1q tag, which separates it from traffic in other VLANS.

The article you mention is totally true, but I understand that you are confused, because this article is not meant as introduction into VLANS and trunking. I would encourage you to start with less complicated information sources and then proceed to more complex level. Good luck!

Stepan 

View solution in original post

4 Replies 4

Go to solution
STEPAN JANKOVIC
Level 1
Level 1

‎06-21-2018 02:51 PM

Hello,

I am not sure If I understand what confuses you. When data frames leave switch interface, their VLAN tag is stripped,  they are sent without encapsulation , so you can perfectly receive them on another interface in different VLAN. Internally in switch, this traffic will be received into VLAN, which is configured as access VLAN on this receiving port. So this communication will work. Anyway, I don't anyone encourage to do such things as this is ... dirty practice. You can benefit from such interconnection only when hosts in these two VLANS share the same address space, so they can communicate. I wouldn't recommend to have two VLANS in the same domain with the same or overlapping address space.

Again, I am not sure If I addressed your question properly :-)

Regards

Stepan

 

Go to solution
wuliting
Level 1
Level 1
In response to STEPAN JANKOVIC

‎06-22-2018 03:14 AM

Thanks for your reply Stepan.

I just want to make sure the traffic is totally isolated between VLAN. so I try to cross the link between VLAN, who knows it is actually sending the traffic which I am very confuse.

As you said, the VLAN tag will be stripped off when it is leaving the access port. What about when it is enter the access port and out of the trunk port again to tester B?

thank you again.

I am using 2960 switch.

0 Helpful

Go to solution
STEPAN JANKOVIC
Level 1
Level 1
In response to wuliting

‎06-22-2018 03:36 AM

Hello,

under normal conditions , on L2 switch, traffic from one VLAN can't pass to other VLAN.

On L3 switch, when you create switch virtual interfaces for VLANs, traffic will be routed between VLANs and if you don't want this to happen, simpe way is usage of access-lists.

There are cases how to overcome this normal behavior, but this means to do dirty things with cabling or configuration, or so calld double encapsulation attack.

 

When traffic enters switch via access port in VLAN 10, it is internally marked and it still separated from another VLANs traffic. When this traffic leaves switch via trunk port with VLANs 10, 20, 30, it is encapsulated by 802.1q tag, which separates it from traffic in other VLANS.

The article you mention is totally true, but I understand that you are confused, because this article is not meant as introduction into VLANS and trunking. I would encourage you to start with less complicated information sources and then proceed to more complex level. Good luck!

Stepan 

Go to solution
wuliting
Level 1
Level 1
In response to STEPAN JANKOVIC

‎06-25-2018 02:25 AM

thanks for the mention Double tagging/ double encapsulation problem. Awesome! 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card