Community discussions

 
Azendale
newbie
Topic Author
Posts: 43
Joined: Thu Feb 06, 2014 8:49 pm

CRS: Filter packets ingress to an "access" port that are tagged

Fri Aug 21, 2015 2:51 am

I have attached the config that I see this happening with on a CRS125-24G-1S-RM switch.

What I'm seeing is that I have a machine connected to ether3 and to ether1. Both machines can be configured to use VLANs. The machine connected to ether1 has vlans 200,300 configured with 192.168.72.16/24 and 192.168.73.16/24, respectively.

The machine on ether3 started out having 192.168.73.15/24 assigned to the interface directly. I then pinged 192.168.73.16 (the ether1 machine's tagged interface) and it worked as it should: the untagged packet came in on ether3, was tagged to VLAN300, and exited the switch on ether1 with VLAN tag 300. That is as I would expect.

Then I set up VLAN300 on the ether3 machine. I put the address 192.168.73.15/24 on the VLAN300 interface and tried pinging 192.168.73.16. The packet would come in on the switch port ether3 tagged and exit on ether1 as being tagged with VLAN300. How do I block this? I want anything tagged coming in on an "access" port like this dropped. (Otherwise, if a possibly hostile machine on an "access" port can tag it's outgoing traffic, it can send traffic anywhere it wants!)

I tried removing ether3 from VLAN 300 and that didn't even cause the incoming tagged VLAN300 traffic to be dropped. I have also tried setting
/interface ethernet switch
set drop-if-invalid-or-src-port-not-member-of-vlan-on-ports=ether3
You do not have the required permissions to view the files attached to this post.
 
Azendale
newbie
Topic Author
Posts: 43
Joined: Thu Feb 06, 2014 8:49 pm

Re: CRS: Filter packets ingress to an "access" port that are tagged

Fri Aug 21, 2015 3:26 am

I did some further testing. Removing ether3 from VLAN 300 and putting the port under Switch > Settings > VLAN (tab) > "Drop If Invalid VLAN On Ports" (list) at the same time caused the traffic to get dropped.

With some further testing, I realized that this means if you set the "access" port under Switch > Settings > VLAN (tab) > "Drop If Invalid VLAN On Ports" (list), you are making it so a hostile host on that port can only transmit on it's assigned VLAN: if it sends untagged, your ingress translation rule will re-write it to the correct VLAN. If it sends tagged traffic in the correct "sandbox" VLAN, it is already in the right VLAN, right where you want it. If it tries to send traffic tagged with the wrong VLAN (as determined by the port not being on the VLAN list at Switch > VLAN > VLAN (tab) entry for said VLAN), the traffic is dropped. (I tested this.)

So, TLDR: put all your switch ports (even trunk, as best I can tell) on the Switch > Settings > VLAN (tab) > "Drop If Invalid VLAN On Ports" list, and stuff will behave much more securely.

Who is online

Users browsing this forum: No registered users and 119 guests