Ethernet Switching
Highlighted
Ethernet Switching

Vlan hoping

‎10-12-2018 11:31 AM

Hi all I have a weird issue, 
I have an ex 3400 where I have setup an access port to be member on vlan 25 only, without enabling voice vlan. Behind this access port I have another L2 switch where I have my pc and deskphone on the same vlan. 
If I login on this L2 switch ( not Juniper ) and I tag with a specific vlan the port where the deskphone is plugged in ( not vlan 25 ) packets pass though. 
How can I prevent this on happening ? 

By default when packet will arrive to the l2 port of the Juniper switch, it will place the vlan tagging ( 25 ).
Then the vlan tagging will be stripped and the original vlan tagging ( from the other L2 switch ) will be revealed so packet will arrive at the end to the other vlan of the switch passing though the L3 engine.

This should not happen when a port is setup as access port and not trunk and voice vlan is not interfering. 
On this specific model, as far as I know ip source guard is not supported. 

 

Thank you for your time. 

4 REPLIES 4
Highlighted
Ethernet Switching

Re: Vlan hoping

‎10-12-2018 12:08 PM

What you are saying is that for EX3400 (or maybe all ELS based EX switches) when an interface is set to port mode = access, it pass untagged packets for the specified VLAN #, but also tagged packets (for tagged VLAN member #)?  Per doc below, this should NOT happen, unless port-mode is set to tagged-access:

 

https://www.juniper.net/documentation/en_US/junos/topics/concept/vlans-qfx-series-understanding.html... (even though URL says QFX, applies to ELS EX as well and some non-ELS EX also!)

 

I thought there might be some knob to config an "except" field under tagged-access but I could not find a doc for this.  Maybe someone else knows.

 

My only suggestion is to create a TAC case and have them assist, using the above link as background.

 

HTH and Good Luck

Highlighted
Ethernet Switching

Re: Vlan hoping

‎10-12-2018 12:54 PM

thank you very much for the document, for sure I will use it 🙂
I will open a support case with the authorized partner from where we got the swithes from this week. 
The issue here is that there is a double vlan tagging, 1 from the original switch ( not the Juniper ) and one from the Juniper switch ( its its job to do this ).  So when packet arrives to the other subnet where its the final destinationand the vlan tagging of the Juniper switch is removed ( defaulf behavior ) then the original tagging still remains.  This means that the response will go back to a wrong vlan and this means it can bypasss L3 engine of the switch. 
Since ip source guard ( best solution ever ) is not supported then I can not prevent this unless I apply vlan access lists which is much complicated.
The point is that this sould not happen at all...

Highlighted
Ethernet Switching

Re: Vlan hoping

‎10-13-2018 04:21 AM

Hello,

 


@nikostsironis wrote:

Since ip source guard ( best solution ever ) is not supported 


 

IP Src guard for EX3400 is supported from JUNOS 18.2R1 

 


@nikostsironis wrote:

 then I can not prevent this unless I apply vlan access lists which is much complicated.


Well, I'll go out on a limb and claim it is not complicated at all. All You need is to drop Ethernet frames whose Ethertype is either 0x8100, 0x88a8, 0x9100, or 0x9200 (to cover all possible single/dual tagging TPIDs) and allow legit IPv4. IPv6. ARP, LLDP-MED, STP (You would want to block the edge port when BPDU is received? if Yes then You have to allow STP) etc

Example port filter is:

 

[edit interfaces ge-0/0/0 unit 0 family ethernet-switching]
+       filter {
+           input f1;
+       }
[edit]
+  firewall {
+      family ethernet-switching {
+          filter f1 {
+              term drop-taggged {
+                  from {
+                      ether-type [ 0x8100 0x88a8 0x9100 0x9200 ];
+                  }
+                  then {
+                      discard;
+                      count taggeds;
+                  }
+              }
+              term else {
+                  then accept;
+              }
+          }
+      }
+  }

Of course, You can apply this filter via interface-range or configuration-group to ease the provisioning burden.

HTH

Thx
Alex

_____________________________________________________________________

Please ask Your Juniper account team about Juniper Professional Services offerings.
Juniper PS can design, test & build the network/part of the network as per Your requirements

+++++++++++++++++++++++++++++++++++++++++++++

Accept as Solution = cool !
Accept as Solution+Kudo = You are a Star !
Highlighted
Ethernet Switching

Re: Vlan hoping

‎10-14-2018 12:45 AM

@ 

Feedback