IEEE 802.1q - VLANs. Nick Poorman

Similar documents
What is VLAN Routing?

VLANs. Application Note

How To Configure Voice Vlan On An Ip Phone

VXLAN: Scaling Data Center Capacity. White Paper

VMware ESX Server Q VLAN Solutions W H I T E P A P E R

Switching in an Enterprise Network

Virtual LANs. or Raj Jain

VLAN for DekTec Network Adapters

CHAPTER 10 LAN REDUNDANCY. Scaling Networks

Management Software. Web Browser User s Guide AT-S106. For the AT-GS950/48 Gigabit Ethernet Smart Switch. Version Rev.

Configuring Switch Ports and VLAN Interfaces for the Cisco ASA 5505 Adaptive Security Appliance

AT-S60 Version Management Software for the AT-8400 Series Switch. Software Release Notes

LANs and VLANs A Simplified Tutorial

CCNA R&S: Introduction to Networks. Chapter 5: Ethernet

OVERLAYING VIRTUALIZED LAYER 2 NETWORKS OVER LAYER 3 NETWORKS

Objectives. The Role of Redundancy in a Switched Network. Layer 2 Loops. Broadcast Storms. More problems with Layer 2 loops

VLAN 802.1Q. 1. VLAN Overview. 1. VLAN Overview. 2. VLAN Trunk. 3. Why use VLANs? 4. LAN to LAN communication. 5. Management port

How To Switch In Sonicos Enhanced (Sonicwall) On A 2400Mmi 2400Mm2 (Solarwall Nametra) (Soulwall 2400Mm1) (Network) (

Abstract. MEP; Reviewed: GAK 10/17/2005. Solution & Interoperability Test Lab Application Notes 2005 Avaya Inc. All Rights Reserved.

SSVVP SIP School VVoIP Professional Certification

VMware Virtual Networking Concepts I N F O R M A T I O N G U I D E

How To Understand and Configure Your Network for IntraVUE

Ethernet-based Software Defined Network (SDN) Cloud Computing Research Center for Mobile Applications (CCMA), ITRI 雲 端 運 算 行 動 應 用 研 究 中 心

Networking 4 Voice and Video over IP (VVoIP)

CCNP SWITCH: Implementing High Availability and Redundancy in a Campus Network

Network configuration for the IBM PureFlex System

Extending Networking to Fit the Cloud

How to Create VLANs Within a Virtual Switch in VMware ESXi

QoS Switching. Two Related Areas to Cover (1) Switched IP Forwarding (2) 802.1Q (Virtual LANs) and 802.1p (GARP/Priorities)

VLAN and QinQ Technology White Paper

Overview of Routing between Virtual LANs

VXLAN Bridging & Routing

: Interconnecting Cisco Networking Devices Part 1 v2.0 (ICND1)

AlliedWare Plus OS How To Configure interoperation between PVST+ and RSTP or MSTP

Analysis of Network Segmentation Techniques in Cloud Data Centers

Course Contents CCNP (CISco certified network professional)

Configuration Examples. D-Link Switches L3 Features and Examples IP Multicast Routing

Introduction to IP v6

2. What is the maximum value of each octet in an IP address? A. 28 B. 255 C. 256 D. None of the above

Can PowerConnect Switches Be Used in IP Multicast Networks?

Configuring Switch Ports and VLAN Interfaces for the Cisco ASA 5505 Adaptive Security Appliance

SSVP SIP School VoIP Professional Certification

Hosting more than one FortiOS instance on. VLANs. 1. Network topology

Exhibit n.2: The layers of a hierarchical network

EVOLVING ENTERPRISE NETWORKS WITH SPB-M APPLICATION NOTE

Juniper Networks EX Series/ Cisco Catalyst Interoperability Test Results. May 1, 2009

Virtual Networking Features of the VMware vnetwork Distributed Switch and Cisco Nexus 1000V Series Switches

- Virtual LANs (VLANs) and VTP -

Joint ITU-T/IEEE Workshop on Carrier-class Ethernet

Network Virtualization and Data Center Networks Data Center Virtualization - Basics. Qin Yin Fall Semester 2013

BLADE PVST+ Spanning Tree and Interoperability with Cisco

Use MAC-Forced Forwarding with DHCP Snooping to Create Enhanced Private VLANs

TP-LINK. 24-Port 10/100Mbps + 4-Port Gigabit L2 Managed Switch. Overview. Datasheet TL-SL

CLOUD NETWORKING FOR ENTERPRISE CAMPUS APPLICATION NOTE

Interconnecting Cisco Networking Devices: Accelerated (CCNAX) 2.0(80 Hs) 1-Interconnecting Cisco Networking Devices Part 1 (40 Hs)

LAN Switching and VLANs

IP Addressing and Subnetting. 2002, Cisco Systems, Inc. All rights reserved.

TP-LINK L2 Managed Switch

1 Data information is sent onto the network cable using which of the following? A Communication protocol B Data packet

hp ProLiant network adapter teaming

Zarząd (7 osób) F inanse (13 osób) M arketing (7 osób) S przedaż (16 osób) K adry (15 osób)

Cisco Certified Network Associate Exam. Operation of IP Data Networks. LAN Switching Technologies. IP addressing (IPv4 / IPv6)

Course Overview: Learn the essential skills needed to set up, configure, support, and troubleshoot your TCP/IP-based network.

Virtual Networking with z/vm Guest LAN and Virtual Switch

Guide to TCP/IP, Third Edition. Chapter 3: Data Link and Network Layer TCP/IP Protocols

Network System Design Lesson Objectives

Bridgewalling - Using Netfilter in Bridge Mode

enetworks TM IP Quality of Service B.1 Overview of IP Prioritization

Exploiting First Hop Protocols to Own the Network. Rocket City TakeDownCon Paul Coggin Senior Principal Cyber Security

Virtual PortChannels: Building Networks without Spanning Tree Protocol

Juniper / Cisco Interoperability Tests. August 2014

ΕΠΛ 674: Εργαστήριο 5 Firewalls

Layer 3 Network + Dedicated Internet Connectivity

Configuring the Transparent or Routed Firewall

Cisco Nexus 1000V Switch for Microsoft Hyper-V

How to monitor network traffic inside an ESXi host

vsphere Networking ESXi 5.0 vcenter Server 5.0 EN

Securing end devices

APPLICATION NOTE 210 PROVIDER BACKBONE BRIDGE WITH TRAFFIC ENGINEERING: A CARRIER ETHERNET TECHNOLOGY OVERVIEW

CCT vs. CCENT Skill Set Comparison

Advanced VSAT Solutions Bridge Point-to-Multipoint (BPM) Overview

TP-LINK. 24-Port 10/100Mbps + 4-Port Gigabit L2 Managed Switch. Overview. Datasheet TL-SL5428E.

TRILL for Service Provider Data Center and IXP. Francois Tallet, Cisco Systems

RARP: Reverse Address Resolution Protocol

Set Up a VM-Series Firewall on the Citrix SDX Server

Protecting and controlling Virtual LANs by Linux router-firewall

TRILL for Data Center Networks

DMZ Virtualization Using VMware vsphere 4 and the Cisco Nexus 1000V Virtual Switch

CORPORATE NETWORKING

Interconnecting Cisco Network Devices 1 Course, Class Outline

TRILL Large Layer 2 Network Solution

Interconnecting Cisco Networking Devices Part 2

Fundamentals of Switching

ΕΠΛ 475: Εργαστήριο 9 Firewalls Τοίχοι πυρασφάλειας. University of Cyprus Department of Computer Science

Expert Reference Series of White Papers. vcloud Director 5.1 Networking Concepts

HARTING Ha-VIS Management Software

Watson SHDSL Router Application Manual

Voice Over IP. MultiFlow IP Phone # 3071 Subnet # Subnet Mask IP address Telephone.

Abstract. Avaya Solution & Interoperability Test Lab

Building Secure Network Infrastructure For LANs

Transcription:

IEEE 802.1q - VLANs Nick Poorman

dot1q IEEE standard can be found here: http://standards.ieee.org/getieee802/802.1.h tml RFC 3069 can be found here: http://www.faqs.org/rfcs/rfc3069.html

dot1q VLAN Tagging - A networking standard written by the IEEE 802.1 workgroup allowing multiple bridged networks to transparently share the same physical link without leakage of information between networks.

Difference between a subnet and a VLAN? A subnet(layer 3): part of the IP address space, eg 192.168.1.0/255.255.255.0, 10.1.1.1/255.255.255.0 (10.x.x.x networks normally have 255.0.0.0 as the subnet) VLAN(Layer 2): A Virtual LAN is a section of ports on a/many switch[es] that act as if they are their own separate LAN can have many different IP subnets as VLANs are not based on IP s.

Frame Format Does not actually encapsulate the original frame. Instead adds a 32-bit field between the source MAC address and the EtherType/Length fields of the original frame. Double/Tripple tagging is allowed. Exploit? Tag Protocol Identifier (TPID): a 16-bit field set to a value of 0x8100 in order to identify the frame as an IEEE 802.1Q-tagged frame. This field is located at the same position as the EtherType/Size field in untagged frames, and is thus used to distinguish the frame from untagged frames. Priority Code Point (PCP): a 3-bit field which refers to the IEEE 802.1p priority. It indicates the frame priority level from 0 (lowest) to 7 (highest), which can be used to prioritize different classes of traffic (voice, video, data, etc). Canonical Format Indicator (CFI): a 1-bit field. If the value of this field is 1, the MAC address is in non-canonical format. If the value is 0, the MAC address is in canonical format. It is always set to zero for Ethernet switches. CFI is used for compatibility between Ethernet and Token Ring networks. If a frame received at an Ethernet port has a CFI set to 1, then that frame should not be bridged to an untagged port. VLAN Identifier (VID): a 12-bit field specifying the VLAN to which the frame belongs. A value of 0 means that the frame doesn't belong to any VLAN; in this case the 802.1Q tag specifies only a priority and is referred to as a priority tag. The hexadecimal value of 0xFFF is reserved. All other values may be used as VLAN identifiers, allowing up to 4094 VLANs. On bridges, VLAN 1 is often reserved for management. http://en.wikipedia.org/wiki/ieee_802.1q

Ethernet Frame (Layer 2)

Multiple Spanning Tree Protocol (MSTP) Originally defined in IEEE 802.1s Merged into IEEE 802.1q-2003 Layer 2 protocol used to prevent bridge loops in the network topology Select the root bridge Determine the least costs paths to the root Disable all other paths to the root Per-VLAN MSTP configures a separate Spanning Tree for each VLAN group and blocks all but one of the possible alternate paths within each Spanning Tree

802.1q/Cisco ISL Trunking Protocol Allows multiple VLANs to span multiple switches

Using VLANs for Security.Good or Bad? VLANs were not intended to be used for isolation, a founding principle of security, however they are being used for just that. There are inherent vulnerabilities with using VLANs for isolation. http://www.spirit.com/network/net0103.html

VLAN Exploits Packets hop to a different VLAN For example: Systems have established TCP/IP communications on the same VLAN, then the switch gets configured so that one system's port now belongs to a different VLAN. Communications continues between the two systems because each has the MAC address of the other in its ARP cache, and the bridge knows which destination MAC address gets directed to which port. Scapy: a script-kiddie program to test the 802.1q network for vulnerabilities. http://www.darknet.org.uk/2007/05/scapy-interactivenetwork-packet-manipulation/-scapy

VLAN Exploits Multiple tags can be used to route over trunks Layer 3 routing device can be used to route packets from one VLAN to the next. This causes problems with our isolation principle.

Experiment Isolation in a Secure Cluster Testbed http://www.usenix.org/event/cset08/tech/full_papers/lahey/lahey_html/ After reading this white paper on the DETER cluster testbed (modeled after Utah s Emulab), the idea of a Tagger being used as a means of isolating experiments into their own network, seemed intriguing. Decided to use it as a means of extreme isolation for each node on the network to protect themselves from each other as well as the outside world.

Solution? The Tagger. In order to use VLANs as a means of secure isolation there must be a check to verify a packet passing through the network, is not malicious. This is relatively simple to do by having a bridge device sitting in front of the switch. This server is responsible for doing Layer 2 tagging of the VLAN ID. By keeping a static table of MAC address to VLAN ID the tagging server and the switch can do low level packet filtering.

The Tagging Server By keeping a static table of MAC address to VLAN ID mappings we can tag packets before they enter the switch with the appropriate VLAN ID as well as filter packets coming from the switch on the trunk port, that have been spoofed with another machines MAC address. As a packet enters the tagging server the destination MAC address is inspected in the packet and looked up in the table. If a corresponding VLAN ID is found for the destination MAC, the packet will be tagged with the VLAN ID information and will be forwarded onto the switch. If a corresponding VLAN ID is not found in the table the packet will be dropped. (ebtables can do the filtering) essentially IPTables for layer 2

The Switch A packet entering the switch on the trunk port will have its MAC header inspected for the destination address. If the MAC address and the VLAN ID pair are found in the MAC:port forwarding table a unicast packet will be sent out the port assigned to that VLAN ID, else it will discard the packet. If a packet enters the switch through an access port the switch will tag the packet with the VLAN ID of the port in which the packet entered through.

Summary This solution will now prevent a host from spoofing its MAC address and having the packet forwarded to the VLAN of the spoofed host. In the scenario where a host spoofs their MAC address the packet entering the access port of the switch will be tagged by the switch with the VLAN ID associated with the port (something the host cannot spoof) and will be forwarded to the tagging server(bridge device) for verification that the source MAC address in the packet does in fact match the VLAN ID tagged by the switch.

Side Note Bridge firewalls should exist between each element on the network to prevent malicious traffic from passing between each device. The static MAC:port table should be managed with MIB s and SNMP. We can now control updates such as nodes being added, removed, etc. remotely from a management server on the management network. PVLANs are essentially the same thing however using the tagger we can restrict multicast distribution to selected VLANs.

VMware has done it again! vsphere (previously ESX server) has a hypervisor that plays god mode for us and makes sure that packets are not spoofed. Each time a packet is sent out a virtual network interface the hypervisor checks the MAC address against the assigned MAC in the VM s XML file. If they are not the same the packet gets dropped. No spanning tree protocol exploits, due to no spanning tree implementation. vsphere does not allow switch interfaces to connect to other switch interfaces therefore no loops can be created

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information