Double Tagging

On an IEEE 802.1Q trunk, one VLAN is designated as the native VLAN. The native VLAN does not add any tagging to frames traveling from one switch to another switch.

If an attacker's PC belonged to the native VLAN, the attacker could leverage this native VLAN characteristic to send traffic that has two 802.1Q tags. Specifically, the traffic's outer tag is for the native VLAN, and the traffic's inner tag (which is not examined by the switch's ingress port) is for the target VLAN to which the attacker wants to send traffic.

As illustrated in Figure 6-2, the first switch (SW1) removes the outer tag from the frame before forwarding the frame to its neighboring switch (SW2), because the outer tag specifies the native VLAN (VLAN 1 in this example), which is not tagged by a switch. As a result, when the frame is transmitted from switch SW1 to SW2, the inner tag becomes visible to SW2. This inner tag specifies the target VLAN (VLAN 100 in this example). As a result, SW2 sends the traffic out to the target VLAN.

To help prevent a VLAN hopping attack using double tagging, do not use the native VLAN to send user traffic. You can accomplish this by creating a VLAN in your organization that does not have any ports. This unused VLAN is solely for the purpose of native VLAN assignment. Example 6-3 shows a configuration on a Cisco Catalyst 3550 in which the native VLAN has been set to an unused VLAN.

Figure 6-2 VLAN Hopping Using Double Tagging

Figure 6-2 VLAN Hopping Using Double Tagging

VLAN 1 (The Native VLAN)

Direction of Traffic Flow

1

100

Frame

1 - -—^ â

100

Frame

- A-

—- .

802.1Q Trunk Switch Switch

SW1 SW2

802.1Q Trunk Switch Switch

SW1 SW2

VLAN 100

VLAN 1 (The Native VLAN)

VLAN 100

Example 6-3 Setting the Native VLAN

Key Topic

Cat3550(config)# interface gigabitethernet 0/4 Cat3550(config-if)# switchport trunk native vlan 400

0 0

Post a comment