Here is how I understand the attack. Let's imagine the following setup ATTACKER ---- SW1 --- SW2 --- VICTIM HOST
- The switch port the attacker is connected to is an access port in VLAN 1 - The native VLAN from SW1 --> SW2 is the default VLAN 1 - VICTIM host is in VLAN 10 Now, let's look at how the attack works to understand why tagging the native vlan helps mitigate it. Assume the attacker sends a frame to SW1 looks like this: [dot1q VLAN 1] [dot1q VLAN 10] [DATA] When SW1 receives the frame, it is accepted even though the port is an access port because the outer tag matches the VLAN of the switch port. SW1 will strip off the outer tag of VLAN 1 just before it is forwarded over the trunk to SW2. Why? Because VLAN 1 is the native VLAN, and frames that are part of the native VLAN should NOT be tagged by default going over the trunk to SW2. The problem is that when SW2 gets the frame it looks like this: [dot1q VLAN 10] [DATA] The frame now gets forwarded to VLAN 10 and we have accomplished our "vlan hopping attack". BUT , it is important to understand that this is only possible if the outside tag in the frames the attacker is sending is equal to the native VLAN of the trunk between SW1 and SW2. Otherwise, SW1 would never strip off the outer tag. This is the reason why tagging the native VLAN is part of mitigating this attack So... - If we configure the trunk to tag the native VLAN, when SW1 receives the double tagged frame, SW1 would never strip the outer tag, it would happily send the double tagged frame over to SW2 and SW2 would receive the frame tagged as VLAN 1, then forward it to the destination. - Alternatively, we can ensure to never assign an access port to the same VLAN as the native VLAN. Two ways to do this: - Make the native VLAN of the trunk some VLAN that is NEVER seen assigned to an access port - Leave the native VLAN alone, but make sure you never use that same VLAN on an access port - Additionally, you would want to make sure your end hosts can't actually negotiate a trunk with the switch port by turning of DTP using the switchport nonegotiate command and hard coding your edge ports to be access ports On Sat, Mar 17, 2012 at 4:27 AM, Kingsley Charles <[email protected]> wrote: > Hi all > > How does "vlan dot1q tag native" help us prevent double tagging attack? I > know it can help, but I want to discuss how and where it actually does the > job. > > Can we have a discussion :-) > > > > With regards > Kings > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > > Are you a CCNP or CCIE and looking for a job? Check out > www.PlatinumPlacement.com -- Regards, Joe Astorino CCIE #24347 http://astorinonetworks.com "He not busy being born is busy dying" - Dylan _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
