Discard ingress tagged traffic on the T1500G-8T V2 switch

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.

Discard ingress tagged traffic on the T1500G-8T V2 switch

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.
Discard ingress tagged traffic on the T1500G-8T V2 switch
Discard ingress tagged traffic on the T1500G-8T V2 switch
2020-04-26 01:48:07 - last edited 2020-04-26 01:49:54
Hardware Version: V2
Firmware Version: 2.0.5 Build 20200109

I have a T1500G-8T V2 switch, using firmware 2.0.5 Build 20200109.


I define 3 VLANs as follows:

  • VLAN 1 = System = All ports untagged
  • VLAN 2 = Only LAN = Ports 2-6 untagged
  • VLAN 3 = Only Internet = Ports 1, 7-8 untagged

 

Then I configure the PVID like this:

  • PVID (from port 1 to 8) = 1, 1, 1, 1, 2, 2, 3, 3


All ports are configured to Ingress Checking = Enabled, and Acceptable Frame Types = Admit All.


I connect devices which should access both the Internet and other LAN devices to ports 1-4, including my router that is connected to port 1. This works because all ports are members of VLAN 1, so anything connected to ports 1-4 gets a PVID of 1, and it can reach any other port.


I connect devices which should access only to other LAN devices (but NOT the Internet) to ports 5 or 6. This works because devices connected to these ports get a PVID of 2, so they can only talk to any other member of VLAN 2, but my router is connected to port 1 which is not a member of VLAN 2, so it is not reacheable by ports 5 and 6.


I connect devices which should access only the Internet (but NOT other LAN devices) to ports 7 and 8. This works because devices connected to these ports get a PVID of 3, so they can only talk to any other member of VLAN 3, including my router which is connected to port 1. The rest of LAN devices are not members of VLAN 3, so these two ports cannot talk to them.


Let's say a device is connected to port 2, so it shouldn't reach the Internet. However, if this device tags (by itself) its outgoing traffic with VLAN 1, this traffic will ingress the switch with VLAN 1 (because, as I said at the beginning) all ports are configured to Acceptable Frame Types = Admit All, so it will be abble to talk to any other port, including port 1.

 

Similarly, if a device is connected to port 7 it shouldn't reach the devices connected to ports 2-6. However, if this device tags (by itself) its outgoing traffic with VLAN 1, it will be abble to talk to any other device on the LAN.

 

As you can guess, this behavior defeats VLAN isolation because any device can make itself a member of VLAN 1 just by tagging its outgoing traffic, so the security of my LAN gets compromised.


I've tried to remove ports 5-8 from VLAN 1, but then everything gets ruined because devices connected to ports 1-4 cannot see devices connected to port 5-8, so VLAN 2 members cannot talk to LAN devices connected to ports 2-4 (and vice versa), and VLAN 3 devices cannot talk to the router.

 

If I could configure the switch to accept only untagged traffic in some ports, those ports would be protected from this kind of attack, because the port would discard any rogue tagged traffic automatically, but I cannot find how to do it on my TP-Link switch.

 

Does anybody know how can I configure the switch to make a port to accept only untagged traffic, so a rogue device cannot spoof the VLAN?

 

Thank you.

 

Best regards.

  0      
  0      
#1
Options
7 Reply
Re:Discard ingress tagged traffic on the T1500G-8T V2 switch
2020-04-26 07:05:05

@Jorge87 

 

It seems that has not specific function to block the tagged packets. If you are affraid of the attack, you may be able to try to use IP-MAC bainding to protect your network. Add you the IP and MAC of your own clients to the list, then choose protect type like ARP protect or source IP source guard. Then other IP or MAC cannot access your network.

  0  
  0  
#2
Options
Re:Discard ingress tagged traffic on the T1500G-8T V2 switch
2020-04-26 07:05:51

@Jorge87 

 

It seems that has not specific function to block the tagged packets. If you are affraid of the attack, you may be able to try to use IP-MAC bainding to protect your network. Add you the IP and MAC of your own clients to the list, then choose protect type like ARP protect or source IP source guard. Then other IP or MAC cannot access your network.

  0  
  0  
#3
Options
Re:Discard ingress tagged traffic on the T1500G-8T V2 switch
2020-04-26 11:04:56 - last edited 2020-04-26 11:43:25

 

Jorge87 wrote

Does anybody know how can I configure the switch to make a port to accept only untagged traffic, so a rogue device cannot spoof the VLAN?

 

Yes. Assign each »Access Port« to only one VLAN.

 

However, this requires to terminate the VLAN in the router, not in the switch, meaning you need to define at least two different local networks.

 

 

I define 3 VLANs as follows:

  • VLAN 1 = System = All ports untagged
  • VLAN 2 = Only LAN = Ports 2-6 untagged
  • VLAN 3 = Only Internet = Ports 1, 7-8 untagged

 

Then I configure the PVID like this:

  • PVID (from port 1 to 8) = 1, 1, 1, 1, 2, 2, 3, 3

 

You are using VLANs 2 and 3 just for port isolation controlled by the Port VLAN ID.

Ports 7-8 form an asymmetric VLAN. Traffic to the router uses VLAN 3, replies use VLAN 1.

 

Note that you actually have 2 LANs: VLAN 1 (»System«) is LAN for ports 2-4, VLAN 2 is also LAN for ports 5-6 (both according to their PVIDs).

Traffic from ports 5-6 will not only not reach Internet, but also not reach ports 2-4 despite the »Only LAN« classification, is this intented?

 

Anyway, ports are not truly isolated, since broadcasts from router still go to all ports over VLAN 1.

 

The need to have ports in more than one VLAN (VLAN 1 and VLAN 2 or 3 for ports 5-8) makes them no true »Access Ports« anymore.

THIS is what allows clients to fake a VLAN ID.

 

The correct setup for a topology you have in mind is a VLAN with an »one-armed router«:

  • Define a second local network, e.g. »GUEST«.
  • Define the VLAN tags in the router (here we terminate all VLANs).
  • Use a Trunk port on the router and switch to connect them: Port 1 is a tagged member of VLANs 2 and 3 only.
    »Acceptable Frame Types« is »Tagged only«. PVID is irrelevant, set to 2.
  • Assign ports 2-4 untagged members of VLAN 2, PVID=2, remove it from VLAN 1. That's your LAN network, say 192.168.1.0/24.
  • Assign ports 5-6 untagged members of VLAN 1, PVID=1. That's your DROP network, say 172.16.0.0/24.
  • Set clients on ports 5 and 6 to static IPs, e.g. from 172.16.0.0/24 network.
  • Assign ports 7-8 untagged members of VLAN 3, PVID=3, remove from VLAN 1. That's your GUEST network, say 192.168.2.0/24.
  • Create a forwarding rule from the GUEST network (resp. its firewall zone) to the WAN (Internet).
  • Allow clients in the GUEST network to access the router only for DNS (port 53) and DHCP (port 67) services, deny all other.
  • Create a forwarding rule from the LAN to the GUEST network to connect to devices in the GUEST network from within the LAN.

 

Now you have a properly set up VLAN:

  • the »Access Ports« are only untagged members of the VLAN they belong to,
  • »Ingress Checking« ensures that invalid frames (wrong VLAN tags) are dropped,
  • the »Trunk Port« drops all untagged frames on ingress,
  • ​​​​​every VLAN carries traffic from a real isolated network,
  • isolation of router services are defined on the router where it belongs to,
  • broadcasts from the router are not sent to all devices anymore.

 

If you want to use DHCP on ports 5-6, create another network for it, say »LAN2«, on the router.

 

I also recommend to use the »System« VLAN 1 either tagged-only on Access and Trunk ports (in other words: as a regular VLAN not different from any other) or to use it as kind of an untagged »dead-end« VLAN for unused/unassigned ports. Using it for the DROP network above sees VLAN 1 as a regular VLAN, it could also have VLAN ID 10 or 50 or whatever.

 

I see not other solution with T1500G.

 

With T1600G there might be an alternative with the »Port Isolation« function rather than using VLANs.

 

༺ 0100 1101 0010 10ཏ1 0010 0110 1010 1110 ༻
  0  
  0  
#4
Options
Re:Discard ingress tagged traffic on the T1500G-8T V2 switch
2020-04-26 20:50:38

@R1D2 

 

Wow! Really detailed answer @R1D2, thank you very much.

 

I've been having a look to the higher end TP-Link switch series, but all of them seem to lack a filter to accept only untagged traffic on a port. It looks like them all use the same settings so they only let you choose Acceptable Frame Types = Admit All or Acceptable Frame Types = Tagged Only.

 

Are there any known plans for adding Acceptable Frame Types = UNtagged Only to TP-Link switches?

 

Best regards.

 

  0  
  0  
#5
Options
Re:Discard ingress tagged traffic on the T1500G-8T V2 switch
2020-04-26 21:25:14 - last edited 2020-04-26 21:42:21

 

Jorge87 wrote

Are there any known plans for adding Acceptable Frame Types = UNtagged Only to TP-Link switches?

 

Inside a VLAN network there is no untagged traffic. All frames are always tagged.

 

It's just that untagged traffic arriving on an Access Port of the switch gets tagged with its Port VLAN ID. This PVID can be any VLAN (1, 2 , 3, 200, 300, whatever). As soon as the frame is received by the switch, it gets tagged.

 

If you connect clients such as PCs, laptops etc. over a Trunk Port (= member of more than one VLAN), they can choose which VLAN to use. It's intentional that on Trunk Ports tagged traffic can arrive. All what's really needed is to either drop untagged frames or accept them (and assign them the appropriate VLAN using the PVID).

 

This is the weak point in your topology! You use Trunk Ports for the clients instead of »Access Ports« which accept only untagged traffic (what you want).

 

Albeit I did show you the professional way to implement two or three networks for two or three VLANs, you can indeed use a single shared network over different VLANs, if this is what you want. But it can't be an asymmetric VLAN for the switch. That's all. This is your Acceptable Frame Type = Untagged Only setting!

 

So, ensure you have real Access Ports, ports which are assigned only one membership of either the DROP (1), LAN (2) or GUEST (3) VLAN.

Connect two cables from the router's LAN to the switch (but first configure the switch). Here you create the asymmetry, outside the switch.

 

VLAN config is:

  • Router LAN1 ↔ Switch Port 1, untagged member of VLAN 2 (LAN) only, PVID=2
  • Router LAN2 ↔ Switch Port 2, untagged member of VLAN 3 (GUEST) only, PVID=3
  • Ports 3-4: VLAN 2, PVID=2
  • Porst 5-6: VLAN 1, PVID=1
  • Ports 7-8: VLAN 3, PVID=3

 

Still asymmetric VLAN due to the router's ports LAN1 and LAN2 which are either bridged Ethernet NICs or two ports of a built-in switch.

 

But, for the TP-Link switch the VLAN now is symmetric. Broadcasts won't loop, certain protocols appear on both VLANs. Should work this way.

 

Note that this is no true isolation, neither for routers using bridged Ethernet ports nor for routers using a built-in switch for the LAN1/LAN2 ports.

༺ 0100 1101 0010 10ཏ1 0010 0110 1010 1110 ༻
  0  
  0  
#6
Options
Re:Discard ingress tagged traffic on the T1500G-8T V2 switch
2020-04-26 22:17:09

Thanks again for your quick and extensive answer @R1D2.

 

For your first solution I would need a VLAN aware router, which I don't currently have. As I cannot implement it I sadly have to discard it.

 

Your second solution has the following limitations for my requirements:

  • Devices connected to ports 5 and 6 will only be able to talk to each other, which is something I don't really need.
  • I see no ports that could not reach the router and talk to LAN devices at the same time (those ports would belong to VLAN 2, named Only LAN in my initial post).
  • As switch ports 1 and 2 are configured as untagged and connected to my router, despite they have different VLAN and PVID, they will be able to talk each other (once their traffic reach to the router) because the router will act as an unmanaged switch.

 

According to all of the above, I'm afraid that I'll have to return my TP-Link switch and change it for a NETGEAR GS308T, or maybe a MikroTik unit, that apparently do have this option to admit untagged packets only.

 

Best regards.

 

  0  
  0  
#7
Options
Re:Discard ingress tagged traffic on the T1500G-8T V2 switch
2020-04-26 22:59:55 - last edited 2020-04-26 23:17:04

 

Jorge87 wrote

  • Devices connected to ports 5 and 6 will only be able to talk to each other, which is something I don't really need.
  • I see no ports that could not reach the router and talk to LAN devices at the same time (those ports would belong to VLAN 2, named Only LAN in my initial post).
  • As switch ports 1 and 2 are configured as untagged and connected to my router, despite they have different VLAN and PVID, they will be able to talk each other (once their traffic reach to the router) because the router will act as an unmanaged switch.

 

  1. You didn't specify whether ports 5-6 on LAN should be able to communicate with VLAN »System« (which is actually LAN, too).
    But since Internet is on LAN, connecting ports 5-6 to LAN gives them Internet access. That's done by your router.
  2. LAN and GUEST need Internet. Yes, I wrote: the clients are not truly isolated since your router has only one network. Certain broadcasts are forwarded to all.
  3. Switch ports LAN1 and LAN2 of the router are untagged, yes. This means that the router sends out broadcasts on all 4 ports or what number of ports your router has for the LAN.


But for the switch, the frames are not untagged. Remember: there is no such thing as an untagged frame in a managed switch, even not in Netgear switches. For the switch this is traffic in either VLAN 2 or 3. Devices in both VLANs, 2 and 3, are not able to talk to each other as long as their VLANs are terminated at the switch (not on another switch, that's the price). Ports 1 and 2 of the switch can also not talk to another. Re-check the settings, please.

 

I think what confuses you is that you have currently all ports in VLAN 1. Bad idea. I wrote: remove those ports from VLAN 1. Assign all ports to only one VLAN 1, 2 or 3. Never assign a port member of two VLANs.

 

Or take an outdated WiFi SOHO router laying around somewhere near you, install OpenWrt Linux on it (free of cost) and you can easily integrate this router into the VLAN network. Problem solved.

 

 

༺ 0100 1101 0010 10ཏ1 0010 0110 1010 1110 ༻
  0  
  0  
#8
Options