Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2047
Views
0
Helpful
4
Replies

DHCP traffic leaking across VLANs via VLAN1?

michael.armstrong
Level 1
Level 1

‎07-27-2004 09:13 AM - edited ‎03-02-2019 05:20 PM

I've got a situation where a DHCP server on a supposedly-isolated VLAN is giving out addresses to clients on VLAN1. I think I'm close to understanding why, but not close enough to sleep well.

We've got several VLANs; those of interest are:

VLAN1 - most PCs in a Win2003 domain, with a DHCP server for Vlans 1 and 2

VLAN2 - IP phones

VLAN5 - a 2nd Win2003 domain with its own DHCP server

A 3550 switches at L3 among VLANs, with a helper address on VLAN2 pointing to the DHCP server on VLAN1. There is no helper anywhere pointing to or from VLAN5.

Until yesterday, everything worked fine, as expected. A typical switchport supporting a phone and a PC was configured as:

interface FastEthernet0/1

switchport trunk encapsulation dot1q

switchport trunk allowed vlan 1,2,1002-1005

switchport mode trunk

switchport voice vlan 2

switchport priority extend cos 0

Since it was working, I fixed it by removing the "trunk allowed" statements from all the end-user switchports. The intent was to allow the upcoming addition of several new VLANs without having to worry about whether they were blocked.

Today, however, as leases began to expire on the VLAN1 clients, many of them obtained VLAN5 addresses. My question is, how is the DHCPDISCOVER getting to the VLAN5 DHCP server, and since the server's responses should be tagged as VLAN5, how are they getting back to the client on VLAN1?

The discover packet must be arriving as a non-helped request, since if it had gone through a helper, the GIADDR field would implicitly solicit an address in the requestor's subnet.

The discover packet is on VLAN1 and thus crosses all trunks, so I'm thinking it shows up as an untagged packet on the switch the VLAN5 DHCP server is on. Its switchport is configured like so:

interface FastEthernet0/1

switchport trunk encapsulation dot1q

switchport trunk native vlan 5

switchport mode trunk

switchport voice vlan 2

switchport priority extend cos 0

Here's where I get lost. The "trunk native" statement assures that untagged frames arriving on the port are assigned to VLAN5, but I don't think it would prevent outgoing untagged frames from reaching the attached PC, in this case the DHCP server. So, the DHCP server responds with a DHCPOFFER, another broadcast, but shouldn't this be contained on VLAN5? Somehow, the complete DHCP transaction succeeds, the client on VLAN1 obtains a VLAN5 IP address, and can't talk to anybody any more.

Is this a security hole as well? Looks like a way for traffic to cross VLANs without benefit of a router. If someone can tell me what I'm missing, I'd appreciate it. For now, I'm putting back the "allowed" statements; looks like a good practice is to always place an "allow" allowing only VLANs associated with the phone and the native VLAN, and, incidentally, to not use VLAN1 at all.

Labels:
0 Helpful
4 Replies 4

smif101
Level 4
Level 4

‎07-27-2004 09:46 AM

The command native vlan is stating what the default vlan will be for all untagged frames, vlan 1 is the default vlan in use when this command is not stated specifically. Of course the best thing would not to use vlan 1 at all. On the switch I would use these commands for windows domain 1.

switchport trunk encapsulation dot1q

switchport trunk allowed vlan 1,2

switchport mode trunk

switchport voice vlan 2

switchport trunk native vlan 1

and for windows domain 2

switchport trunk encapsulation dot1q

switchport trunk allowed vlan 2,5

switchport mode trunk

switchport voice vlan 2

switchport trunk native vlan 5

Hope this helps,

Jason Smith

www.smif101.com

0 Helpful

michael.armstrong
Level 1
Level 1
In response to smif101

‎07-27-2004 10:14 AM

Thanks; that's what I'm in the process of doing -- basically, putting back the "allow" statements I removed yesterday. I'd still like to know why the VLAN1 client sees the DHCPOFFER from the VLAN5 server, though.

0 Helpful

nemmco
Level 1
Level 1
In response to michael.armstrong

‎07-28-2004 07:36 PM

If I am reading your configs correctly, you one without native vlan set and the other set to vlan 5. Guess that means vlan 1 on one switch connects to vlan 5 on the other.

Is CDP enabled? If so it will send native vlan mismatch messages to the log if there is a mismatch.

peter

0 Helpful

michael.armstrong
Level 1
Level 1
In response to nemmco

‎08-03-2004 12:40 PM

You read the configs correctly, and that's where the leak is. The trunk ports connecting the two switches have no "native" statements, so untagged packets arriving on both switches are assumed to be in VLAN 1. (Thus there is no native VLAN mismatch.) On the VLAN 5 switch, all ports (other than the interconnecting trunk port) specify VLAN 5 as the native VLAN, so any untagged packets from attached PCs, etc., get tagged with VLAN 5 tags as they enter the switch.

The problem lies in the fact that VLAN 1 frames (actually, the management VLAN frames, but VLAN 1 is the management VLAN by default) are always passed. In fact, if you specify "switchport trunk allowed vlan 2,5", the switch will change this to "1-2,5,1002-1005". So, the attached "VLAN 5" PCs will see the incoming DHCPDISCOVER broadcasts which arrive on VLAN 1. In any event, the DHCP server then DHCPOFFERs the address via a directed response (I originally and mistakenly thought this was a broadcast also -- that's why I was confused) to the client, so even though the offer is made on VLAN 5, it is routed to VLAN 1 to get to the client.

I'm slowly moving all my devices off VLAN1 and will reserve that for LAN management only to avoid these side-effects.

0 Helpful
Customers Also Viewed These Support Documents