VLAN hopping or double tagging using “Yersinia”


Here an example in Video of “VLAN hopping” or “double tagging” using Linux tool “yersinia”.

Some recommendation to mitigate the threat of “VLAN hopping”
– Clear Native VLAN from All .1q Trunk.
– Put unused port into unused VLAN.
– Shutdown unused port.
– Configure user ports as static access.
– Filter tagged traffic entering access ports.
– Set native VLAN an unused VLAN.
– Do not use Default Native VLAN = 1.

Example of other tools:
– Mausezahn: http://www.perihel.at/sec/mz/index.html
– Scapy: http://www.secdev.org/projects/scapy/

Differences between PVST and PVST+


Behind the simple “plus” in PVST+ lurk quite subtle details that can make the difference between the two concepts very fuzzy, so the goal of this post is to give you a very brief explanation and I hope enough simple to grasp about PVST and PVST+ and their relationship with the standard IEEE 802.1q:

IEEE 802.1q standard

PVST (Per VLAN Spanning Tree) Cisco proprietary

PVST+ Cisco proprietary

BPDU transported over native VLAN untagged (cannot differentiate between different VLANs), therefore support natively only one single instance of STP for all VLAN, MST (Mono Spanning Tree).

(-) Not interoperable and less flexible approach.

(+) Improve the limitation of 802.1d STP (created before VLAN) by supporting one separate instance for each VLAN, using ISL trunk only.

(-) Still not interoperable with IEEE 802.1q that supports only one STP instance.

(+) Modification of PVST: allow PVST over standard IEEE 802.1q:

1) – PVST+ native VLAN BPDUs are transported (merged) in IEEE native VLAN (CST) untagged using IEEE STP MAC 0180.0CCC.CCCD 01-80-C2-00-00-00

2)– In addition to that, PVST+ native VLAN is send a second time tunneled over IEEE 802.1q using special multicast MAC 0100.0CCC.CCCD (Shared spanning Tree, SSTP):

  1. Untagged, if PVST+ native VLAN=VLAN 1. (figure1)
  2. Tagged (coded with TLV, containing VLAN ID), if native VLAN other than VLAN 1. (figure2)

This is used exclusively for consistency check. Besides, the error “PVID-inconsistency” is generated if PVST+ BPDU is received on a VLAN different from the one it was generated from.

3)– non-native VLAN BPDUs always tunneled over IEEE 802.1q using special multicast MAC 0100.0CCC.CCCD (Shared spanning Tree, SSTP), tagged (coded with TLV, containing VLAN ID)

– Make sure the native VLAN in PVST+ regions, communicating together through IEEE 802.1q, is the same.

– Whatever the complexity of the IEEE 802.1q network, only costs at the borders with PVST+ regions counts for PVST+-IEEE 802.1q native VLAN (VLAN 1 by default) cooperate with PVST, PVST+ and MSTI (802.1s).

– PVST (ISL) instances are mapped one-to-one with PVST+ (802.1q) instances.

Figure 1: PVST+ native VLAN is VLAN 1

Figure 2: PVST+ native VLAN is different from VLAN 1

Here is what to retain :

802.1q (standard) supports only one single instance of STP

  • native VLAN (Common Spanning Tree)  – (let’s say channel 1)
  • one STP instance – (let’s say channel 2)

PVST (Cisco proprietary)

  • Support one STP instance per each VLAN
  • uses ISL trunk only.
  • Doesn’t support 802.1q

PVST+ (Cisco proprietary) Enhance PVST capabilities by allowing to transport PVST over 802.q :

  • native VLAN over “Common Spanning Tree” (over channel 1)
  • Each per-VLAN STP is encapsulated using a special Multicast MAC and transported (over channel 2)

… and little of history from Scott Morris :

“For a long time, IEEE believed there should be one common spanning tree (CST) and obviously Cisco had come out with ISL trunking and PVST allowing for multiple instances.

When the 802.1Q standard was derived, they mandated a single spanning tree, which if you followed the spec would **** the operation of PVST.  So Cisco “improvised” by merely changing the destination address to a different L2 multicast address.

The good thing about that is that in case you had a mixed environment, now any non-Cisco switch receiving a PVST+ BPDU would simply flood it out all available ports for that vlan instead of killing it if it were using the original IEEE multicast address and not in the native vlan.

Sometimes the history of “why” makes it easier to remember the details of “how”.  So PVST doesn’t “not support” 802.1Q, it’s the 802.1Q won’t support PVST.”

Scott

%d bloggers like this: