I have been reading over pcunite’s great article - “Using RouterOS to VLAN your network”. Many thanks to him, this is a must read. Very, very well done. I am using some of his script to support my questions here. His post has got me thinking about a couple of questions I would like to get some further clarification on in regard to VLAN Security.
In a RoaS (Router on a stick) configuration, you have a trunk port connected to a L2 managed switch. On the interface the switch is connected to only tagged frames should be present. Therefore something like this is appropriate for additional security:
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-vlan-tagged [find interface=ether2]
In a router and switch configuration (some ports on the router switching), the following command is put forth:
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged [find interface=ether2]
My Understanding…
Configurations of RoaS (router on a stick) uses a trunk port with only tagged packets present. So, filter (drop?) everything else, i.e. untagged packets. This mostly make sense to me.
On a router/switch you will a mix of what is called “untagged-and-priority-tagged” packets. This does not really make sense to me.
My Questions
I have “admit all” configured in my system. What is the security risk with this configuration? I this a physical security issue? What would the attack strategy be - to inject tagged packets on a trunk port? Could you say - configure a device’s IP in the management vlan (for example) and simply hop on?
How is “untagged-and-priority” tagged packets different than “admit all”. Aren’t those the only two choices for frame-type?
In summary, I am simply trying to understand the advantages (and potential disadvantages) to using those ingress filtering options. What security does it provide? Thanks in advance for any feedback.
The idea is to limit access through ports on the switch or router…
Admit all means someone could add a vlan device and add vlan traffic to that port whereas you only want untagged frames and priority frames to enter that port.
Some rules allow any vlan onto that port that is identified on the router somewhere
Some rules only allow vlans specifically onto the port (not all the ones that are identified on the router).
priority-tagged … I’ve never seen ones, but legend goes that if one wants to use QoS field, that one comes as 802.1Q tag (commonly referred to as VLAN tag, but there’s more to it) with VID set to some invalid value (e.g. 0) … which technically makes such frame “not untagged” … in particular it is “priority tagged”. For VLAN purpose it is as well as untagged, hence “untagged-and-priority-tagged”.
If port is set to frame-types=admit-untagged-and-priority-tagged, it will allow the untagged frames and frames described in previous paragraph. It won’t allow frames tagged with valid VID. If, OTOH, port is set to frame-types=admit-all it will allow any frame, including untagged, priority tagged and tagged with valid VID.
To @RackKing questions:
one can consider untagged as yet another VLAN. The beauty (or curse) of it is that it’s mostly configured differently … e.g. instead of using vlan interface to interact with it one uses bridge (or physical) interface. Different ports of same bridge can have different pvids and thus untagged frames on different ports belong to different VLANs, tagged always belong to same VLAN. Etc.
Sometimes it is necessary to set admit-all, e.g. for hybrid ports (untagged and tagged frames on same interface). But it is better to set frame-types to value really needed. One should always combine that with ingress-filtering=yes which is about the security. This setting actually prevents attacker from injecting frames into VLAN which is not present on said interface.
@mkx - thank you very much for the contribution. This part hit home for me " One should always combine that with ingress-filtering=yes which is about the security. This setting actually prevents attacker from injecting frames into VLAN which is not present on said interface." I was just trying to envision what that attack might be, but I think that is best left to people much smarter than me. Making it difficult is what counts.
I was thinking that “admit only untagged and priorty tagged” = hybrid ports. Thanks for clearing this up. So a hybrid port must be set to admit all. I know this happens in some cases where an unmanaged switch is used.
At the end the day - we have really only have “admit only tagged” and “admit only untagged”… right?