topic Re: Native Vlan - Double tagging attack in Network Security

Native Vlan - Double tagging attack

PietroPoliseno27977 — Fri, 26 Feb 2021 14:08:35 GMT

Hello everyone

I would like a clarification on the native vlan.By default a vlan is used, for example 99 as a native vlan without assigning any access port to avoid double tagging attacks.What is not clear to me is:

1) Why do I have to set as a native vlan a number that makes no sense like 99 or 44?Can I also set number 2 ?

2) I know it takes more work, but can I leave the native vlan 1 and delete the ports from vlan 1 by disabling it?Can there be security issues? I repeat Vlan 1 with no access port I move them all to other vlan.

I thank those who respond in advance

Re: Native Vlan - Double tagging attack

balaji.bandi — Fri, 26 Feb 2021 14:17:24 GMT

The Native VLAN is simply the one VLAN which traverses a Trunk port without a VLAN tag.

1) Why do I have to set as a native vlan a number that makes no sense like 99 or 44?Can I also set number 2 ?

You can use any VLAN ( by default VLAN1)

Cisco suggest do not use default vlan 1 for security reason.,

Re: Native Vlan - Double tagging attack

Javier Acuña — Fri, 26 Feb 2021 14:49:29 GMT

You can use the Vlan you want as native, ´for security reasons it is not recommended to use vlan 1 since most attacks occur through this vlan since it is configured by default.

The recommendation is that you use the Native Vlan that you define in your design, this vlan will only pass without tagging in the trunk communication

remember to give the star with this you contribute in the community

Re: Native Vlan - Double tagging attack

Jon Marshall — Fri, 26 Feb 2021 22:07:38 GMT

On Catalyst switches you never really disable vlan 1.

Even if you have no access ports in it, you change the native vlan and you make sure it is not allowed on any trunk links, still there is certain traffic in vlan 1 such as control protocols etc.

That is the problem with vlan 1, it is the default vlan, the vlan that is the native vlan unless you change it and it is used by Cisco for protocols such as STP, VTP etc.

So you should not make any use of it if you can help it.

Jon

Re: Native Vlan - Double tagging attack

MHM Cisco World — Sat, 27 Feb 2021 13:10:30 GMT

...

Re: Native Vlan - Double tagging attack

PietroPoliseno27977 — Sat, 27 Feb 2021 08:29:56 GMT

It Is clear that changing native VLAN hacker cannot Attack. What Is not clear i why VLAN 1. I could set VLAN1 as VLAN native on trunk but simultaneously I move all ports in other vlans removing all access Port F01 f02 etc..... So In this case:

TRUNK LINK: VLAN 1 NATIVE VLAN

VLAN1: NO ACCESS PORT

VLAN 2: PORTS FOR F01 TO F12

VLAN3: PORTS FOR F13 TO F24

In this case how spese the hacker do the Attack?

We suppose that hacker Is located and connect Port fa0/8 of the VLAN 2 and wanted attaché VLAN3.

He should add both VLAN2 AND VLAN3 in the frame ethernet

On trunk Is VLAN1 native.

When switch 1 (where Is connect hacker) see the frame, It see First tag so VLAN2 and not VLAN3.

I might be wrong ( correct me of I'm wrong) but hacker Is limited to comunicate VLAN 2 only.

I could think only best practice change VLAN1 in VLAN99 because VLAN1 Is default (as all you said), and then if there are free ports on switch with VLAN1 native, un attacker connect One Port and Attack

Correct me of I wrong

Re: Native Vlan - Double tagging attack

PietroPoliseno27977 — Sat, 27 Feb 2021 12:24:18 GMT

So if I disable all Port It Will remain Always default for other traffic as stp or vtp. But if I Will change native VLAN in VLAN2 without 99 It Is good. VLAN99 or 44 are used so for convenience only.

Re: Native Vlan - Double tagging attack

MHM Cisco World — Sat, 27 Feb 2021 13:24:28 GMT

Double Tag Attack,

you admin and you are separate the Server from the Host by using VLAN,

VLAN 100 for Server

VLAN 1 for Host

the attacker which can access to VLAN 1 easily BUT to access to Server it must pass through Router L3 or FW... Here the attacker couldn't attack Server.

So attacker use the limitation of SW to see only one tag of VLAN.

How attacker Work ?

SW1-SW2 in-between there is trunk with VLAN 1 as native,

attacker connect to SW1,

attacker send double tag packet

outer is native VLAN "VLAN1"

inner is VLAN 100 "VLAN 100 for Server ??"

SW1 receive this packet It see Native VLAN 1 it will flood to all port include trunk between the two SW,

SW1 will remove the outer tag "VLAN1 " and here is limitation of SW" and flood it through trunk

SW2 receive the frame with inner tag VLAN 100!!!

SW2 will flood it through all port of VLAN 100 include the port for Server

here the attacker can attack the Server even if it not in same VLAN, i.e. it pass R/FW.

after ALL

do you see how the attacker is start attack?

by native VLAN, if we can broke this series by change native VLAN with value not predict by attacker what will happened?

let see again but this time we change the native VLAN from VLAN 1 to VLAN 99 "as your example"

attacker connect to SW1,

attacker send double tag packet

outer is native VLAN "VLAN1"

inner is VLAN 100 "VLAN 100 for Server ??"

SW1 receive this packet It see OUTER VLAN 1 it will flood to all port NOT include trunk between the two SW,

WoW and attacker stop here..

So that is why we change the native VLAN to not predict VLAN.

and this is why make default native VLAN 1 without ports.

UPDATE REPLY.

Re: Native Vlan - Double tagging attack

MHM Cisco World — Sat, 27 Feb 2021 13:31:23 GMT

There is two attack for switch spoofing,
first which is explain before "double tag"
the attack connect to Access port of SW

Second is VLAN Hopping<- this new

Why VLAN1 native must change ???
the attack connect to Trunk port, DTP is enable, the SW will make port trunk and native VLAN 1 "Here as you suggest only trunk have native VLAN1, no other ports for vlan1".

What if we change the native VLAN from VLAN1 to NO predict VLAN "for example 99"

the SW never make port as trunk since the native VLAN is mismatch and hence we prevent the attacker from form trunk with SW and attack all vlan allowed in trunk.

Note:- Cisco recommend to disable DTP and enable trunk only on port you want to be trunk "trust port" and also change native VLAN1.

Re: Native Vlan - Double tagging attack

Jon Marshall — Sat, 27 Feb 2021 15:23:14 GMT

Yes it will still be used for certain traffic ie. some control protocols.

You can use any number you want for native vlan, it makes no difference which number you use.

Jon

Re: Native Vlan - Double tagging attack

PietroPoliseno27977 — Sun, 28 Feb 2021 08:50:00 GMT

Ok let's see if I understand. Only if DTP is enabled on a switch A (default is enabled), an attacker can also connect with his pc makes switch A believe that his PC is a switch B and since by default the dtp service enables the vlan as native vlan 1, the attacker automatically makes a vlan hopping attack. Then the problem would be solved by disabling the DTP service and setting the trunk manually. But maybe since a company would like to adopt a solution with DTP for convenience, it is always useful to set a different native vlan which can also be vlan 2 but since usually vlan 2-3-4 etc are used for convenience it is used as native vlan a vlan example 99 or 120 that is it doesn't make sense.Correct?

Re: Native Vlan - Double tagging attack

PietroPoliseno27977 — Sun, 28 Feb 2021 09:26:05 GMT

That is (I know that in reality it will never happen but it is to better understand) if I have switch A and switch B on both switches I disable the DTP, I move all the ports from VLAN1 to VLAN 2 - 3 - 4 for example I leave on the trunk switch A and switch B vlan native VLAN 1, would you attacker be able to do a hopping and double tagging? There is no auto-negotiation between A and B, the ports have not been assigned to VLAN 1 at this point unless there is another service that would allow an attacker to make another type of attack, I don't see how it can succeed to make an attack with a VLAN 1 as native. Obviously mine is a consideration based on theoretical concepts if I miss something correct me

Re: Native Vlan - Double tagging attack

MHM Cisco World — Sun, 28 Feb 2021 12:41:24 GMT

OK, how many native VLAN in SW ?
there is only one, so when you config native VLAN 1 between two SW, that meaning that both SW use native VLAN 1 for all trunk port.
attacker as I explain above will form trunk to one of SW, using DTP and native VLAN 1, the victim SW will make port trunk with attacker "SW don't know this is attacker or other SW".
this make Attacker now allow to use all VLAN, and hence VLAN hopping happened.

Re: Native Vlan - Double tagging attack

PietroPoliseno27977 — Sun, 28 Feb 2021 15:45:06 GMT

VLAN1: all Port moved for example VLAN2

DTP: Disable

Native VLAN : VLAN1

If hacker not find access Port in VLAN 1 and sto Disable hacker can still Attack

Re: Native Vlan - Double tagging attack

MHM Cisco World — Sun, 28 Feb 2021 16:31:54 GMT

sorry what is sto ?

Re: Native Vlan - Double tagging attack

PietroPoliseno27977 — Sun, 28 Feb 2021 20:40:43 GMT

Excuse me DTP however I read newly other comments. VLAN 1 no access Port and dtp Disable Is under Attack yet because stp use bpdu frame on VLAN1 default also if Logic vtp hopping and double tagging Say that the Attack Is good if the attacker Is connect ti the Port assigned ti native VLAN, but if I move all Port from VLAN1 in VLAN 2, frames bpdu Will through on VLAN 1 yet.

Re: Native Vlan - Double tagging attack

MHM Cisco World — Sun, 28 Feb 2021 21:00:57 GMT

I ask my self same Q when I study VLAN security then I end with
1- using VLAN1 as Native VLAN
2- using other VLAN as Native VLAN

still the L2 protocol use VLAN1 as tag vlan when send through trunk
BUT
it tag if the VLAN 1 is not native
it not tag if the VLAN1 is native

https://www.fragmentationneeded.net/2011/01/revisiting-vlan-1-myth-again.html

so change the native VLAN not make other L2 protocol not use VLAN1.