Vlan Hopping

Hello, i have read many doc about this exploit but there are any contradictions.

I hnow that this exploit exist in 3 ways :

1) Basic=> The attacker spoof a switch and gains the trunked states of the switch's port. Rely on auto-negotiate feature turned ON. This ways is simple to understand and to block

2) Complex 1 => This attack is described on

formatting link
and to work need that the attacker and the trunk share same native vlan ( ex. VLAN 10 ). In this doc. the attacker send on the access port ( VLAN 10 ) a tagged frame with a VLAN-ID of target VLAN ( ex. VLAN 20 ) . The switch takes frame and forward it on trunk port without native tag (10). The other switch (connected via-trunk) read VLAN-ID(20) and forward frame on the access vlan 20.

In this scenario my doubts is :

- Why the first SW accepts tagged frame ? Is this behavior an anomaly of work ?

- Why the last switch that receives native frame on trunk port reads the VLAN-ID ? Is this normal or anomaly ? I think that sw does'nt read VLAN-ID because the frame on trunk is native .

2)Complex 2 => In other docs per ex:
formatting link
is an attack called " Double-Encapsulated 802.1Q ". In this exploit the conditions are similar to the precedent but the attacker need to insert two VLAN-ID ( outer,inner ). If this case work then the first switch read VLAN-ID on access port and forward frame on trunk ( strip off first VLAN-ID ) . This behavior is different that precedent case . Why the switch forward this frame according to VLAN-ID

on the access-port ? Is this behavior another anomalies ?

Sorry about lenght of post but i want to understand if this vulnerability were resolved or not .

Thanks

Giuseppe Citerna ccie#10503

Reply to
Jos_Cit
Loading thread data ...

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.