Vlan Hopping Vulnerability

Hello, i have read many doc about this exploit but there are any
contradictions.

I hnow that this exploit exist in 3 ways :

1) Basic=> The attacker spoof a switch and gains the trunked states of
the switch's port. Rely on auto-negotiate feature turned ON. This ways
is simple to understand and to block


2) Complex 1 => This attack is described on
http://www.sans.org/resources/idfaq/vlan.php and to work need that the
attacker and the trunk share same native vlan ( ex. VLAN 10 ). In this
doc. the attacker send on the access port ( VLAN 10 ) a tagged frame
with a VLAN-ID of target VLAN ( ex. VLAN 20 ) . The switch takes frame
and forward it on trunk port without native tag (10). The other switch
(connected via-trunk) read VLAN-ID(20) and forward frame on the access
vlan 20.

In this scenario my doubts is :

- Why the first SW accepts tagged frame ?
Is this behavior an anomaly of work ?

- Why the last switch that receives native frame on trunk port reads
the VLAN-ID ? Is this normal or anomaly ? I think that sw does'nt read
VLAN-ID because the frame on trunk is native .

2)Complex 2 => In other docs per ex:
http://www.cisco.com/en/US/products/hw/switches/ps708/products_white_...
there is an attack called " Double-Encapsulated 802.1Q ". In this
exploit the conditions are similar to the
precedent but the attacker need to insert two VLAN-ID ( outer,inner ).
If this case work then the first switch read VLAN-ID on access port and
forward frame on trunk ( strip off first VLAN-ID ) . This behavior is
different that
precedent case . Why the switch forward this frame according to VLAN-ID

on the access-port ? Is this behavior another anomalies ?

Sorry about lenght of post but i want to understand if this
vulnerability were resolved or not .

Thanks

Giuseppe Citerna
ccie#10503

.

Relevant Pages

  • Re: Vlan Hopping Anomaly
    ... switch does'nt reads VLAN-ID and in the COMPLEX 2 the switch reads the ... VLAN-ID on his access-port? ... According to me only second case were a bug, because on the access port ... > switch read VLAN-IDand forward frame on the access vlan 20. ...
    (comp.dcom.sys.cisco)
  • Vlan Hopping Anomaly
    ... i have read many doc about this attack but there are many ... switch read VLAN-IDand forward frame on the access vlan 20. ... VLAN-ID because the frame on trunk is native. ...
    (comp.dcom.sys.cisco)
  • Re: Vlan Hopping Vulnerability
    ... > and forward it on trunk port without native tag. ... > vlan 20. ... > - Why the first SW accepts tagged frame? ... if the switch has ingress filtering ...
    (comp.dcom.lans.ethernet)
  • Re: Cause of some major X10 problems found
    ... I can probably provide the switch as well. ... The probability that a noise source will create valid X-10 PLC codes ... only one valid 11 cycle frame, which it reports using a lower case ...
    (comp.home.automation)
  • Re: LLU Question
    ... port to another, want red care you just run another jumper, you ... and I wonder for how many jumpers run a frame fault comes out? ... 'suite' refers to the rack of equipment in BT (switch not field) ... the first job I had in the central exchange was ...
    (uk.telecom.broadband)