cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

597
Views
20
Helpful
16
Replies

Native Vlan - Double tagging attack

Hello everyone

I would like a clarification on the native vlan.By default a vlan is used, for example 99 as a native vlan without assigning any access port to avoid double tagging attacks.What is not clear to me is:

1) Why do I have to set as a native vlan a number that makes no sense like 99 or 44?Can I also set number 2 ?

2) I know it takes more work, but can I leave the native vlan 1 and delete the ports from vlan 1 by disabling it?Can there be security issues? I repeat Vlan 1 with no access port I move them all to other vlan.

 

I thank those who respond in advance

2 ACCEPTED SOLUTIONS

Accepted Solutions
Jon Marshall
Hall of Fame Guru

 

On Catalyst switches you never really disable vlan 1.

 

Even if you have no access ports in it, you change the native vlan and you make sure it is not allowed on any trunk links, still there is certain traffic in vlan 1 such as control protocols etc. 

 

That is the problem with vlan 1, it is the default vlan, the vlan that is the native vlan unless you change it and it is used by Cisco for protocols such as STP, VTP etc. 

 

So you should not make any use of it if you can help it. 

 

Jon

View solution in original post

There is two attack for switch spoofing, 
first which is explain before "double tag"
the attack connect to Access port of SW

Second is VLAN Hopping<- this new

Why VLAN1 native must change ???
the attack connect to Trunk port, DTP is enable, the SW will make port trunk  and native VLAN 1 "Here as you suggest only trunk have native VLAN1, no other ports for vlan1".

What if we change the native VLAN from VLAN1 to NO predict VLAN "for example 99"

the SW never make port as trunk since the native VLAN is mismatch and hence we prevent the attacker from form trunk with SW and attack all vlan allowed in trunk.

Note:- Cisco recommend to disable DTP and enable trunk only on port you want to be trunk "trust port" and also change native VLAN1.

View solution in original post

16 REPLIES 16
balaji.bandi
VIP Expert

The Native VLAN is simply the one VLAN which traverses a Trunk port without a VLAN tag.

1) Why do I have to set as a native vlan a number that makes no sense like 99 or 44?Can I also set number 2 ?

You can use any VLAN ( by default VLAN1)

 

2) I know it takes more work, but can I leave the native vlan 1 and delete the ports from vlan 1 by disabling it?Can there be security issues? I repeat Vlan 1 with no access port I move them all to other vlan.

 

Cisco suggest do not use default vlan 1  for security reason.,

 



BB


*** Rate All Helpful Responses ***

Javier Acuña
Collaborator

You can use the Vlan you want as native, ´for security reasons it is not recommended to use vlan 1 since most attacks occur through this vlan since it is configured by default.

The recommendation is that you use the Native Vlan that you define in your design, this vlan will only pass without tagging in the trunk communication


remember to give the star with this you contribute in the community

Jon Marshall
Hall of Fame Guru

 

On Catalyst switches you never really disable vlan 1.

 

Even if you have no access ports in it, you change the native vlan and you make sure it is not allowed on any trunk links, still there is certain traffic in vlan 1 such as control protocols etc. 

 

That is the problem with vlan 1, it is the default vlan, the vlan that is the native vlan unless you change it and it is used by Cisco for protocols such as STP, VTP etc. 

 

So you should not make any use of it if you can help it. 

 

Jon

View solution in original post

So if I disable all Port It Will remain Always default for other traffic as stp or vtp. But if I Will change native VLAN in VLAN2 without 99 It Is good. VLAN99 or 44 are used so for convenience only. 

 

Yes it will still be used for certain traffic ie. some control protocols. 

 

You can use any number you want for native vlan, it makes no difference which number you use. 

 

Jon

MHM Cisco World
Rising star

...

It Is clear that changing native VLAN hacker cannot Attack. What Is not clear i why VLAN 1. I could set VLAN1 as VLAN native on trunk but simultaneously I move all ports in other vlans removing all access Port F01 f02 etc..... So  In this case:

TRUNK LINK: VLAN 1 NATIVE VLAN

VLAN1: NO ACCESS PORT 

VLAN 2: PORTS FOR F01 TO F12 

VLAN3: PORTS FOR F13 TO F24 

 

In this case how spese the hacker do the Attack?

We suppose that hacker Is located and connect Port fa0/8 of the VLAN 2 and wanted attaché VLAN3.

He should add both VLAN2  AND VLAN3 in the frame ethernet 

On trunk Is VLAN1 native.

 

When switch 1 (where Is connect hacker) see the frame, It see First tag so VLAN2 and not VLAN3.

 

I might be wrong ( correct me of I'm wrong) but hacker Is limited to comunicate VLAN 2 only.

 

I could think only best practice change VLAN1 in VLAN99 because VLAN1 Is default (as all you said), and then if there are free ports on switch with VLAN1 native, un attacker connect One Port and Attack 

Correct me of I wrong

 

 

 

 

 

 

 

 

 

 

 

 

 

Double Tag Attack, 

you admin and you are separate the Server from the Host by using VLAN, 

VLAN 100 for Server

VLAN 1 for Host 

 

the attacker which can access to VLAN 1 easily BUT to access to Server it must pass through Router L3 or FW... Here the attacker couldn't attack Server.

 

So attacker use the limitation of SW to see only one tag of VLAN. 

How attacker Work ?

 

SW1-SW2 in-between there is trunk with VLAN 1 as native, 

 

attacker connect to SW1, 

attacker send double tag packet 

outer is native VLAN "VLAN1"

inner is VLAN 100 "VLAN 100 for Server ??"

 

SW1 receive this packet It see Native VLAN 1 it will flood to all port include trunk between the two SW, 

 

SW1 will remove the outer tag "VLAN1 " and here is limitation of SW" and flood it through trunk

 

SW2 receive the frame with inner tag VLAN 100!!!

 

SW2 will flood it through all port of VLAN 100 include the port for Server 

 

here the attacker can attack the Server even if it not in same VLAN, i.e. it pass R/FW.

 

after ALL 

do you see how the attacker is start attack?

by native VLAN, if we can broke this series by change native VLAN with value not predict by attacker what will happened?

let see again but this time we change the native VLAN from VLAN 1 to VLAN 99 "as your example"

 

attacker connect to SW1, 

attacker send double tag packet 

outer is native VLAN "VLAN1"

inner is VLAN 100 "VLAN 100 for Server ??"

 

SW1 receive this packet It see OUTER VLAN 1 it will flood to all port NOT include trunk between the two SW, 

 

WoW and attacker stop here..

 

So that is why we change the native VLAN to not predict VLAN. 

and this is why make default native VLAN 1 without ports.

 

UPDATE REPLY.

There is two attack for switch spoofing, 
first which is explain before "double tag"
the attack connect to Access port of SW

Second is VLAN Hopping<- this new

Why VLAN1 native must change ???
the attack connect to Trunk port, DTP is enable, the SW will make port trunk  and native VLAN 1 "Here as you suggest only trunk have native VLAN1, no other ports for vlan1".

What if we change the native VLAN from VLAN1 to NO predict VLAN "for example 99"

the SW never make port as trunk since the native VLAN is mismatch and hence we prevent the attacker from form trunk with SW and attack all vlan allowed in trunk.

Note:- Cisco recommend to disable DTP and enable trunk only on port you want to be trunk "trust port" and also change native VLAN1.

View solution in original post

Ok let's see if I understand. Only if DTP is enabled on a switch A (default is enabled), an attacker can also connect with his pc makes switch A believe that his PC is a switch B and since by default the dtp service enables the vlan as native vlan 1, the attacker automatically makes a vlan hopping attack. Then the problem would be solved by disabling the DTP service and setting the trunk manually. But maybe since a company would like to adopt a solution with DTP for convenience, it is always useful to set a different native vlan which can also be vlan 2 but since usually vlan 2-3-4 etc are used for convenience it is used as native vlan a vlan example 99 or 120 that is it doesn't make sense.Correct?

That is (I know that in reality it will never happen but it is to better understand) if I have switch A and switch B on both switches I disable the DTP, I move all the ports from VLAN1 to VLAN 2 - 3 - 4 for example I leave on the trunk switch A and switch B vlan native VLAN 1, would you attacker be able to do a hopping and double tagging? There is no auto-negotiation between A and B, the ports have not been assigned to VLAN 1 at this point unless there is another service that would allow an attacker to make another type of attack, I don't see how it can succeed to make an attack with a VLAN 1 as native. Obviously mine is a consideration based on theoretical concepts if I miss something correct me

OK, how many native VLAN in SW ?
there is only one, so when you config native VLAN 1 between two SW, that meaning that both SW use native VLAN 1 for all trunk port.
attacker as I explain above will form trunk to one of SW, using DTP and native VLAN 1, the victim SW will make port trunk with attacker "SW don't know this is attacker or other SW".
this make Attacker now allow to use all VLAN, and hence VLAN hopping happened.

So 

 

VLAN1: all Port moved for example VLAN2 

 

DTP: Disable 

 

Native VLAN : VLAN1 

If hacker not find access Port in VLAN 1 and sto Disable hacker can still Attack 

 

 

 

 

 

sorry what is sto ?

Content for Community-Ad