cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1477
Views
10
Helpful
7
Replies

vlan hopping attack

ritesh998
Level 1
Level 1

Greeting ! I am Ritesh.

We have 2960 switch with vlan 1 on both the switches with two different networks 5 and 20  as shown in diagram but when we install system in 20 network with ip of 5 network we are still able to access overall 5 network we even have Cyberoam firewall as our gateway device and we haven't allowed any traffic from 20 to 5 network in cyberoam.

please help me with this

7 Replies 7

Mark Malone
VIP Alumni
VIP Alumni

Hi

There 2 different broadcast domains as there being separated on the firewall , the issue is not on the switches as the fw is doing the intervlan routing , if there able to speak between subnets look at the device that's allowing the layer 3 routing between them

Hello Mark,

As we create vlan on both the switches vlan 20 vlan 5 the issue was resolved.

but we didn't understood the logic behind whatever happened as on layer 3 device no rules were changed.

please help us to understand how making vlans resolved this issue.

is there anything related to Native vlan that we need to know ... ??

was vlan 20 not allowed on the trunk ? as the end pcs have vlan 20 ip address too so both vlans should have been allowed on the trunk 1 and 20

We haven't created any trunk, switces are directly connected to firewall ie.cyberoam on different physical interface.

please refer the image and help us out.

If you want any details let us know..

But why wouldn't you have multiple vlans in the trunk or the trunk created when your using 2 vlans at the access layer  , the design doesn't look right from the start its only allowing vlan 1 up the pipe but you also have another subnet there

my understanding of that is vlan 20 access ips should not even be able to speak to vlan 1 as its not allowed on the interface up to the FW , ips in different subnets need to be processed by a layer 3 device to talk to each other but your not allowing both vlans up to the layer 3 device to speak to each other that's if they were trunked but as its access port and both subnets are under vlan 1 at access layer

it must be something  to do with both of the devices being in vlan 1 and no tags etc at vlan 1 so everything was lumped together until you separated the data, the fw must not be aware of them being different subnets without the layer 2 tag to separate them , the setup is wrong from the start really  , it should be trunked up to the FW with both vlans specified correctly at layer 2 access and at trunk interface to FW  

You could prove it out by going back to original setup and wireshark the traffic capture it and see whats happening at the wire when there speaking to each other compared to the working scenario now

i will elaborate the whole scenario in detail

we have 2 different  dedicated   L2 switches for 5 network and 20 network.

we dont want to pass any of the traffic from one switch to another  but one of the user from 192.168.5.20 network changed his IP to 192.168.20.252 with gateway 192.168.20.250.. and still he can access the whole 20 network without any physical connection of 20 network.

and the issue was resolved once vlan 5 and 20 were created on respective switches.. we did not understand the logic behind this scenario.

our gateway of the 5 network is 192.168.5.4 and gateway of  the 20 network is 192.168.20.250..

what could be the reason behind this problem

without replicating the issue and seeing whats happening at the packet level cant be sure , your asking whats the logic behind something being changed to wrong subnet and shouldn't of worked but why its working until it was setup correctly

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco