Controllerless Networks

last person joined: 4 hours ago 

Aruba Instant Wi-Fi: Meet the controllerless Wi-Fi solution that's easy to set-up, is loaded with security and smarts, and won't break your budget.
Expand all | Collapse all

Aruba Instant - Is VLAN hopping possible and other layer 2 security risks

  • 1.  Aruba Instant - Is VLAN hopping possible and other layer 2 security risks

    Posted Aug 05, 2020 01:38 AM

    Hey All,

     

    Just looking to understand a concept for an Instant AP setup around layer 2 security or VLAN hopping.

     

    Requirement is a corporate WLAN and a guest WLAN, no multizone controller etc to tunnel traffic. So both services will terminate onto the edge switch into VLANs.

     

    The Instant AP connects to the switch, the ports configured as a trunk, allowing the corporate VLAN, guest VLAN and the native VLAN is for AP management.

     

    There are two options with VLAN hopping, default ports on Cisco for instance that allow DTP to establish a trunk link... but that's if you connect a device to the wired port... The other is to do VLAN tagging like QinQ using the native VLAN then the switch strips off the native VLAN and you left with the tagged traffic... again if you plug a device into a switch.

     

    I suppose my question, is VLAN hopping a concern for Wireless, I don't think the access point will accept tagged packets from Wireless Clients and I'm not finding much around VLAN hopping on wireless when searching? Also are there any other layer two attacks that could be a concern for this setup or a valid reason to tunnel guest traffic to a DMZ? Layer 3 can be resolved with the built in firewalls as well as the campus firewall.

     

     

    Thanks very much in advance

     



  • 2.  RE: Aruba Instant - Is VLAN hopping possible and other layer 2 security risks

    Posted 19 days ago
    I haven't heard of any risk of VLAN hopping from wireless clients. I personally have not tried injecting 802.1Q data into a wireless frame however so couldn't ever say for sure - I guess this has been tested somewhere along the way.

    You're right in saying that using the ACLs and firewalling capability within the Access Point can prevent guest users pushing traffic into the corporate network.

    I always put a little thought into what broadcast or multicast may leak if clients are on the same SSID. Typically you would keep guests and corporate on different SSIDs however. I raise this because the group keying used for broadcast type frames is generally the same for all clients on the same BSSID, even if they are on different VLANs. So where clients may not see broadcasts across VLANs in the wired context, they could in the Wi-Fi context.


  • 3.  RE: Aruba Instant - Is VLAN hopping possible and other layer 2 security risks

    Posted 18 days ago
    There are a lot of myths about VLAN hopping in the past. This is only a concern when you have switch to switch interlink connections where you use  tagged VLANS and an untagged VLAN, AND use the untagged VLAN for client traffic. VLAN hopping is a one way behavior when the outer vlan is removed.

    For that reasons we only use tagged vlans on interconnect links between switches, where one "dummy" vlan could be untagged and unused for clients and only is used for switch management traffic like STP/LLDP.

    Your access point is an endpoint devices where the untagged vlan is only used for management traffic. The tagged vlans are uses to transfer client traffic.

    Conclusion is that you don't have to concern "vlan hopping" with access points. It only exist when use untagged vlans on switch<>switch connections.

    The best information i can find about vlan hopping is an old Cisco document, but explain its well in detail.
    Google "what hackers know about your switches", first hit ;).

    ------------------------------
    marcel koedijk
    ------------------------------