An Example of a Security Exploit Due to the Native VLAN

January 18, 2018 at 8:24 pm

Native VLAN

In many of our Cisco courses, we learn that networking best practices often point to the non-use of the Native VLAN. But why is this?

It turns out there are security vulnerabilities that could result from having a VLAN not tagged across your trunk links. For example, there is the VLAN hopping attack.

Here is how this attack could work:

Step 1: A bad person at a customer site wants to send frames into a VLAN that they are not part of.

Step 2: This person double tags the frame (Q-in-Q) with the outer frame matching the native VLAN in use at the provider edge switch.

Step 3: The provider edge switch strips off the outer tag (because it matches the native VLAN), and send this frame across the trunk.

Step 4: The next switch in the path examines the frame and reads the inner VLAN tag and forwards the frame accordingly.

Notice this attack is unidirectional. The attacker can send traffic into the VLAN, but traffic will not return. Even still, this is obviously not something we want taking place.

What are possible solutions?

  • Use ISL trunks in the cloud – this becomes less and less possible as ISL trunks fade away.
  • Use a Native VLAN that is outside of the range permitted for the customer.
  • Tag the native VLAN in the cloud.


IPv6 Quiz – Cisco Bias

January 16, 2018 at 7:49 pm


This latest quiz is focused on IPv6 with a bias to Cisco Systems. These questions are what one could expect on a CCNP or CCIE exam across various tracks. Enjoy!

IPv6 Quiz - Cisco Bias

Congratulations - you have completed IPv6 Quiz - Cisco Bias. You scored %%SCORE%% out of %%TOTAL%%. Your performance has been rated as %%RATING%%
Your answers are highlighted below.
Shaded items are complete.

Rapid Spanning Tree Protocol (RSTP) 802.1w

December 29, 2017 at 8:10 am


Whether you are pursuing your CCNA, CCNP, CCIE, or many other Cisco Certifications, a deep knowledge of RSTP is critical. In this post, we will detail key facts for you regarding this Layer 2 loop prevention system.

  • 802.1w (RSTP) is an evolution of the classic 802.1D (STP) protocol
  • 802.1D tried to speed things up with the additions of UplinkFast, BackboneFast, and PortFast; the UplinkFast and BackboneFast features are now essentially built into RSTP, while PortFast is still a feature you enable in RSTP if desired
  • 802.1w can also revert back to 802.1D in order to interoperate with legacy bridges on a per-port basis
  • With 802.1D, once in the forwarding state, there is no way to tell from the port state whether the port is root or designated; RSTP decouples the role and the state of a port to address this issue
  • The 802.1D port states are Disabled, Blocking, Listening, Learning, Forwarding; in 802.1w these are simplified to Discarding, Learning, Forwarding
  • The port roles are expanded in 802.1w to include Backup and Alternate ports in addition to Root and Designated; these new port roles help implement the features of UplinkFast into the protocol natively
  • A Backup port receives more useful BPDUs from the same bridge it is on and is a port blocked
  • An Alternate port receives more useful BPDUs from another bridge and is a port blocked
  • RSTP now uses all six bits of the flag byte that remain in order to perform – encoding the role and state of the port that originates the BPDU and handling the proposal/agreement mechanism
  • The RSTP BPDU is now of type 2, version 2; legacy bridges must drop this new BPDU; this makes it easy for an 802.1w bridge to detect legacy bridges connected to it
  • BPDUs are sent every hello-time, and not simply relayed anymore’
  • BPDUs are now used as a keep-alive mechanism between bridges; a bridge considers that it loses connectivity to its direct neighbor root or designated bridge if it misses three BPDUs in a row; this fast aging of the information allows quick failure detection
  • To natively support the BackboneFast type behavior, RSTP accepts inferior BPDUs; when a bridge receives inferior information from its designated or root bridge, it immediately accepts it and replaces the one previously stored; this permits fast acceptance of a new Root port in the topology
  • Rapid transition is the most important feature introduced by 802.1w; RSTP is able to actively confirm that a port can safely transition to the forwarding state without having to rely on any timer configuration; in order to achieve fast convergence on a port, the protocol relies upon two new variables: edge ports and link type
  • RSTP can only achieve a rapid transition to the forwarding state on edge ports and on point-to-point links; the link type is automatically derived from the duplex mode of a port
  • A proposal/agreement process in RSTP aids in very convergence
  • The topology change notification process is overhauled in order to also aid in faster convergence and improve efficiency

For more details on these new features summarized here – check out Understanding Rapid Spanning Tree Protocol (802.1w) This document often forms the basis for plenty of RSTP-related written exam questions from CCENT to CCIE. Note that my summary document here covers most of those questions for you, however!