Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
7348
Views
5
Helpful
3
Replies

vlan double tagging

Go to solution
AdamBudzinski
Level 1
Level 1

‎02-22-2016 05:46 AM - edited ‎03-08-2019 04:40 AM

Hello guys,

Two questions:

1) double-tagging work in one direction

What would be the reason of performing this type of attack ? DoS?

2) Works when attackers pc is connected a switch port that resides in the same VLAN as the native VLAN of the trunk


from what I understood it's true that even access ports can accept tagged frames (so it would even work in case of an access port, correct)?

3) this type of attack is not as easy as stopping basic VLAN hopping attacks.

How can I prevent this type of attacks ? Changing the default native VLAN to any different unused VLAN is the only way to handle it ?

Looking forward hearing from you guys !

Best regards

Adam

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Anthony LaRosa
Level 1
Level 1

‎02-22-2016 01:15 PM

Adam,

To start off, keep in mind that double-tagging starts when an attackers send a frame to a connected switchport with two VLAN tags in the header.

1. Double-tagging allows you to reach the victim a switch away from the attacker. 

2. Correct, access ports will accept tagged frames.

If the attacker is connected to an access port as mentioned, it will accept the first tag of the frame.

If the attacker is connected to a Dot1Q trunk, the first tag matches the native vlan. The second tag matches the destination VLAN that is desired for the attack. 

Now the switch receives the attackers frames, and the first tag is stripped. Now the second tag is forwarded out all of the switches trunks for the destination VLAN. The second tag was never stripped, so the receiving switch see it and forwards it to the ports that are in that VLAN.

3. Yes, assigning the native to an unused VLAN is one of the mitigation steps.

A few things:

  • Remove access ports from default VLAN 1
  • Assign the native VLAN to an unused VLAN

Additional considerations:

  • ISL encapsulation does not use native VLAN, Dot1Q does.
  • All native VLAN traffic can be tagged, therefore disabling untagged traffic

Regards,

Anthony 

View solution in original post

3 Replies 3

Go to solution
Anthony LaRosa
Level 1
Level 1

‎02-22-2016 01:15 PM

Adam,

To start off, keep in mind that double-tagging starts when an attackers send a frame to a connected switchport with two VLAN tags in the header.

1. Double-tagging allows you to reach the victim a switch away from the attacker. 

2. Correct, access ports will accept tagged frames.

If the attacker is connected to an access port as mentioned, it will accept the first tag of the frame.

If the attacker is connected to a Dot1Q trunk, the first tag matches the native vlan. The second tag matches the destination VLAN that is desired for the attack. 

Now the switch receives the attackers frames, and the first tag is stripped. Now the second tag is forwarded out all of the switches trunks for the destination VLAN. The second tag was never stripped, so the receiving switch see it and forwards it to the ports that are in that VLAN.

3. Yes, assigning the native to an unused VLAN is one of the mitigation steps.

A few things:

  • Remove access ports from default VLAN 1
  • Assign the native VLAN to an unused VLAN

Additional considerations:

  • ISL encapsulation does not use native VLAN, Dot1Q does.
  • All native VLAN traffic can be tagged, therefore disabling untagged traffic

Regards,

Anthony 

Go to solution
AdamBudzinski
Level 1
Level 1
In response to Anthony LaRosa

‎02-25-2016 04:32 AM

Thank you Anthony for looking in to this ! 

BR

Adan 

0 Helpful

Go to solution
Martin L
VIP
VIP
In response to Anthony LaRosa

‎05-27-2020 12:50 PM


indeed great answer!
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card