Cisco – What happens with tagged traffic on access port of Cisco switch

ciscoSecurityswitchtrunkvlan

I am broading up more this unanswered question: VLAN tagging and access port

Let's assume I am trying to accomplish Double Tagging Attack. From my understanding, prerequisites of this attack is to be connected to access port, which has the same VLAN as Native VLAN on trunk ports.

As an attacker, I create frame with two tags inside. The inner tag being the VLAN of my target and the outer tag being the tag of Native VLAN.

So what happens when access port sees the tagged traffic? It would make sense that it would just discard it, preventing this attack from happening. From the materials what I've seen, switch strips the VLAN tag and since it was native VLAN, it doesn't add new tag on trunk link, therefore it passes my frame with target VLAN, effectively reaching my target.

I would understand that this can happen if I use it with combination of Switch spoofing and creating trunk link between my PC and Switch (using DTP for example). But then, there is no reason to double tag it, because I am on trunk link and there is no need for modification and I can just use my target VLAN.

Can someone clarify this for me?

Best Answer

Please check this -

Double tagging VLAN hopping attack takes advantage 802.1Q tagging and tag removal process of many types of switches. Many switches remove only one 802.1Q tag. In Double tagging attack, an attacker changes the original frame to add two VLAN tags. An outer tag, which is of his own VLAN and an inner hidden tag of the victim's VLAN. Here the attacker's PC must belong to the native VLAN of the trunk link.

When the double tagged frame reaches the switch, the switch can only see the outer tag of the VLAN that the interface really belongs to.

The Switch OmniSecuSW1 will now remove the outer VLAN Tag and will forward to all the ports belong to native VLAN (in this example, VLAN1). One copy of that frame is forwarded to the trunk link to reach the next switch OmniSecuSW2.

When the frame reaches OmniSecuSW2, it will open the frame to see the second tag. OmniSecuSW2 will now assume that frame belongs to VLAN 100 and it is forwarded to VLAN 100

For further reference -

http://www.omnisecu.com/ccna-security/what-is-double-tagging-attack-how-to-prevent-double-tagging-attack.php

Related Topic