The same MAC in different VLANs - Page 3

NetworkingGeek1 · ‎03-05-2023

Hello community,

Recently I ran into interesting situation in production environment. Core Switch were sending packets with incorrect destination MAC address towards Access switch - it was due to some bug. But my question is not about that bug. The thing is, that destination MAC really belongs to existed host connected to another access switch and it was in another VLAN than host where traffic originally traffic is intended for. So, the first Access Switch knew about this MAC from Core switch, so it was in its MAC address table and it was pointing towards Core Switch itself. So, the situation was like this: Core Switch is sending frames with incorrect MAC destination towards Access Switch, this Access switch knew about this MAC from Core switch, but it was in another VLAN and it seems that Access switch dropped that frames. But I was expecting that since Access switch knew about that MAC from another VLAN not from the VLAN traffic was destined to, it would just do unknown unicast flooding. But instead it just dropped the traffic as you would expect if it was the same VLAN. As far as I know, switch should not have any issues with the same MAC address being in the different VLAN, because from Switch point of view VLANs are basically separate virtual switches. What is the special about this case? Why switch didn't do unknown unicast flooding?

And also, is there any debug command which I can use to check mac address table or why frames are being dropped?

sidshas03 · ‎03-05-2023

You are correct that when a switch receives a frame with a VLAN tag that does not match the VLAN ID of the receiving interface, it should discard the frame. This behavior is part of the 802.1Q standard, which defines how VLAN tagging should be implemented on Ethernet networks.

In the context of a VLAN hopping attack, the attacker is attempting to send frames with a VLAN tag that will cause the switch to forward the frame to other VLANs on the network. This can occur in situations where the attacker has access to a port on the switch that is configured for one VLAN, but the attacker wants to gain access to another VLAN on the network. By sending frames with a different VLAN tag, the attacker hopes to trick the switch into forwarding the frames to other VLANs on the network.

In some cases, the switch may forward the frames as the attacker intends, even though the VLAN tag does not match the receiving interface. This can occur if the switch has not properly configured VLAN tagging on its ports, or if the switch has not properly implemented the 802.1Q standard.

In summary, while it is true that a switch should discard frames with VLAN tags that do not match the receiving interface, VLAN hopping attacks can exploit weaknesses in the switch's implementation of VLAN tagging to gain unauthorized access to other VLANs on the network.

Sorry for inconvenience:

https://www.ciscopress.com/articles/article.asp?p=1681033&seqNum=3

https://www.techtarget.com/searchsecurity/definition/VLAN-hopping?amp=1

NetworkingGeek1 · ‎03-05-2023

@sidshas03 Thanks for the links.
I did some test now, on a real switch. I connected 3 PCs to real Cisco Switch. Two of them are in VLAN 25 and one of them in VLAN 45. All ports are in switchport access mode. I simulated situation when when host in VLAN 25 sent traffic to MAC of host in VLAN 45. So, switch has this MAC associated to interface in VLAN 45. And switch did unknown unicast flooding. So, this test contradicts with this statement:
"However, if the Access switch has previously learned the MAC address on a different VLAN, it will not flood the frame out of all ports when it receives a frame with that MAC address on a different VLAN. Instead, the switch will forward the frame based on the information in its MAC address table for that VLAN, which may result in the frame being dropped or forwarded to a specific port on the switch." - If you could find the source of that statement, it could really help me.

sidshas03 · ‎03-05-2023

Please look into the attached linked. The same issues of yours is addressed.

https://community.cisco.com/t5/switching/the-same-mac-address-is-shown-in-2-vlan/td-p/1667997

NetworkingGeek1 · ‎03-05-2023

@sidshas03 the situation there a bit different. One last question, please:
"However, if the Access switch has previously learned the MAC address on a different VLAN, it will not flood the frame out of all ports when it receives a frame with that MAC address on a different VLAN. Instead, the switch will forward the frame based on the information in its MAC address table for that VLAN, which may result in the frame being dropped or forwarded to a specific port on the switch." - Is this your opinion or you read somewhere?

sidshas03 · ‎03-05-2023

This is my opinion, but rather a statement based on networking principles and the behavior of network switches. When a network switch receives a frame with a destination MAC address, it looks up the MAC address table to determine the outgoing port for that MAC address. If the switch has previously learned the MAC address on a different VLAN, it will have a different outgoing port for that VLAN in its MAC address table, and it will forward the frame accordingly. However, if the switch has not learned the MAC address on the current VLAN, it will flood the frame out of all ports on that VLAN. This is a fundamental behaviour of network switches and is well-documented in networking literature is a standard feature of modern switches.

"Ethernet Switching" chapter from the book "Computer Networking: A Top-Down Approach" by Kurose and Ross

https://cis.temple.edu/~tug29203/21fall-4319/syllabus.html

VLANs and Trunks" chapter from the book "CCNA Routing and Switching ICND2 200-105 Official Cert Guide" by Wendell Odom:
https://ptgmedia.pearsoncmg.com/images/9781587205804/samplepages/9781587205804.pdf - page 292

These resources explains the behaviour of switches in a VLAN environment and how they forward frames based on their MAC address tables. They are widely accepted in the networking community and represent the standard behavior of modern switches.

Thank you for taking the time to read my message, and I apologize for my collapsing your queries inbetween.

NetworkingGeek1 · ‎03-05-2023

@sidshas03 thanks for the reply. "When a network switch receives a frame with a destination MAC address, it looks up the MAC address table to determine the outgoing port for that MAC address. If the switch has previously learned the MAC address on a different VLAN, it will have a different outgoing port for that VLAN in its MAC address table, and it will forward the frame accordingly. However, if the switch has not learned the MAC address on the current VLAN, it will flood the frame out of all ports on that VLAN. This is a fundamental behaviour of network switches and is well-documented in networking literature is a standard feature of modern switches." - It will not forward frames received on one VLAN and forward according to the MAC address table of different VLAN.

However, my question wasn't about this part. I asked you about your different statement:
"However, if the Access switch has previously learned the MAC address on a different VLAN, it will not flood the frame out of all ports when it receives a frame with that MAC address on a different VLAN. Instead, the switch will forward the frame based on the information in its MAC address table for that VLAN, which may result in the frame being dropped or forwarded to a specific port on the switch." - I've never seen such statement anywhere. Can you please explain why did you come to such conclusion?

sidshas03 · ‎03-05-2023

When an access switch receives a frame, it will look up the destination MAC address in its MAC address table. If the switch has already learned the MAC address and the corresponding VLAN, it will forward the frame out of the appropriate port for that VLAN.

If the switch has not yet learned the MAC address, it will flood the frame out of all ports in the same VLAN as the incoming frame, except for the port it was received on.

If the switch receives a frame with the same MAC address but on a different VLAN than the VLAN it learned the MAC address on, the switch will not have an entry for that MAC address in its MAC address table for that VLAN. In this case, the switch will flood the frame out of all ports in the VLAN the frame was received on.

So, it is possible for a switch to flood a frame with a known MAC address if the frame is received on a different VLAN than the one it was learned on.

Therefore, if the Access switch has previously learned the MAC address on a different VLAN, it will not flood the frame out of all ports when it receives a frame with that MAC address on a different VLAN. Instead, it will forward the frame only to the ports that are members of the VLAN associated with that MAC address. That's the reason I came up with the conclusion of the mentioned above statement.

NetworkingGeek1 · ‎03-06-2023

"If the switch receives a frame with the same MAC address but on a different VLAN than the VLAN it learned the MAC address on, the switch will not have an entry for that MAC address in its MAC address table for that VLAN. In this case, the switch will flood the frame out of all ports in the VLAN the frame was received on."

"Therefore, if the Access switch has previously learned the MAC address on a different VLAN, it will not flood the frame out of all ports when it receives a frame with that MAC address on a different VLAN. Instead, it will forward the frame only to the ports that are members of the VLAN associated with that MAC address. That's the reason I came up with the conclusion of the mentioned above statement."

These two statements are completely opposite to each other. Didn't you notice that in one case it will flood out of all of ports and in your conclusion it won't flood out of all ports.

I'm sorry, but either I didn't get you or you didn't make right conclusion.

sidshas03 · ‎03-06-2023

I apologize for any confusion I may have caused. You are correct that the two statements seem contradictory.

Let me clarify my explanation. When a switch receives a frame with the same MAC address but on a different VLAN than the VLAN it learned the MAC address on, the switch will not have an entry for that MAC address in its MAC address table for that VLAN. Therefore, the switch will flood the frame out of all ports in the VLAN the frame was received on.

However, if the access switch has previously learned the MAC address on a different VLAN, it will not flood the frame out of all ports when it receives a frame with that MAC address on a different VLAN. Instead, it will forward the frame only to the ports that are members of the VLAN associated with that MAC address. This is because the access switch has already learned the MAC address and associated it with a specific VLAN.

So, in summary, if the switch has not previously learned the MAC address, it will flood the frame out of all ports in the VLAN. But if it has previously learned the MAC address, it will forward the frame only to the ports that are members of the VLAN associated with that MAC address.