2

I need confirmation on a question regarding layer 2 security. I've been doing research and I just need to know that I understand it correctly.

Basically, if you have a LAN with a few machines connected to a switch, and those machines are broadcasting LLDP or ARP or something like that, is it true that those broadcasted packets will never escape the LAN (sans faulty software in the switch or machines and things of that nature)?

I know this is a basic question, but I haven't been able to find a direct answer to it and am hoping someone could just give a really brief one. Thanks!

Mark Henderson
  • 68,316
  • 31
  • 175
  • 255
Mediocre Gopher
  • 803
  • 1
  • 12
  • 24

2 Answers2

2

Well, for the most part you are right. Under proper configuration/normal operation all layer two traffic should not be able to "escape" the VLAN where it is generated.

There are some scenarios (VLAN hopping and DTP negotiation comes to my mind) were the traffic can leak to other VLANs without going first through a layer 3 device (a.k.a. router).

With "VLAN hopping" if the native VLAN ID of a trunk is the same as the VLAN ID assigned to the switch port where the host that is generating the traffic is located, then he or she can double 802.1q-tag it's traffic and then this traffic "appear" at the other end of a trunk on a VLAN different from where it originated.

This is the reason why a good operational procedure is to never use VLAN 1 for your access ports (by default the native VLAN of a trunk is 1). Another good operational procedure is to assign a unique native VLAN ID for trunks and then configure each an every trunk on your organization with this unique-trunk-only VLAN ID.

You may want to take a look at this article

jliendo
  • 1,568
  • 11
  • 13
  • Where's all this talk about VLANs coming from? I'm fairly sure the OP is just talking about a standard LAN and a standard switch with no VLANs. (for the record, your answer is still correct though) – Mark Henderson Apr 01 '11 at 00:15
  • Well my reading of the question was that if OP is talking about traffic "escaping" out of the "LAN" (VLAN) then there has to be another "LAN" (VLAN) where the traffic is leaked to. So now having two VLANs my reasoning was to give an scenario where the traffic between to VLANs could leak, then trunking, 802.1q, double-tagging et al. And for the record there is no such thing as a switch with no VLAN, if we are talking of a switch there should be at least one VLAN (with ID 1). – jliendo Apr 01 '11 at 00:25
0

Agreed, with a secure configuration and no software on the hosts relaying such traffic, broadcast traffic should be confined within a VLAN on a switched network.

Another good reference on layer 2 security issues and mitigation techniques:

SAFE Layer 2 Security In-Depth (Cisco White Paper)

chuckx
  • 1,120
  • 6
  • 8