New Contributor

LLDP Spoofing?


We are looking at rolling out AAA authentication on our network. We use Aruba MAS switches and Aruba APs with Avaya IP phones. I was looking at setting up override conditions on the AAA Profile for the phones and APs to get diverted to a corporate access vlan and skip CPPM role assignment. for the APs I was planning to use a device-group ap profile to override the interface-group AAA profile. Similar to this:


device-group ap

  switching-profile "AP"


For the phones I was looking at setting a derivation rule on the AAA profile similar to this:


aaa derivation-rules user test
  set vlan condition device-type equals "phone" set-value XXX


My question is how secure is this setup? Can the proprietary LLDP TLVs be spoofed easily so that a hacker PC could mimic a phone or AP and get diverted straight into a corporate access vlan bypassing the rest of the AAA profile role assignment conditions?




Re: LLDP Spoofing?

LLDP can be easily spoofed (as can CDP). Tools to do so, like VoipHopper (CDP) and LLDP Generator (LLDP) are publicly available.


Example with LLDP Generator:

./ -p lldp -tlv sys-name "FakePhone" -tlv sys-desc "See, I can spoof LLDP" -tlv chid -ipv4 ""

Will show on your switch like:

HPE-Aruba-Lab3810# show lldp info remote-device 4

 LLDP Remote Device Information Detail

  Local Port   : 4
  ChassisType  : network-address     
  ChassisId    :             
  PortType     : mac-address                            PortId       : 30 85 a9 aa aa aa                      SysName      : FakePhone                       
  System Descr : See, I can spoof LLDP                  PortDescr    :                                        Pvid         :                          
  System Capabilities Supported  : 
  System Capabilities Enabled    : 
  Remote Management Address

I did not take the time so spoof the system capabilities, but that should not be that hard to fake your Avaya Phone. So it is okay to use LLDP as a convenience feature, probably not to use it as a securlty feature as there is no protection whatsoever in the protocol.


The more secure solution would be to really authenticate the phone with 802.1X; the required securlty level depends on what is acceptable in your environment and was the outcome of the security assessment.


If you have urgent issues, please contact your Aruba partner or Aruba TAC (click for contact details).
Search Airheads
Showing results for 
Search instead for 
Did you mean: