Description:
There is a security vulnerability in the VLAN implementation in Linux, where network traffic can be sent to any VLAN, if the packets are tagged with the VLAN tag 0. Since the VLAN ID 0 is also used for VLAN priority mapping this is a desired behavior.
In order to prevent packets with VLAN 0 from being sent to connected network devices, the communication can be prohibited on switch ports with the tagging mode Access via the ACL (Access Control List).
Preventing data traffic with VLAN ID 0 via the ACL can only be implemented if no priority mapping is used.
Requirements:
- LCOS SX as of version 5.10 Rel (download latest version)
- Any web browser for accessing the webinterface
- Configured and functional VLAN configuration
Procedure:
Configuring the ACL via the webinterface:
1) Connect to the webinterface of the switch and go to the menu QoS → Access Control Lists → Summary.
2) Make sure, that the option Enable is selected for the ACL Counters and click Add, to add an ACL object.
3) Modify the following parameters and click Submit:
- ACL Type: In the dropdown menu select the option Extended MAC.
- ACL Identifier: Enter a descriptive name for the ACL object (in this example drop-tagged).
4) Change to the tab Configuration, make sure, that the ACL Identifier created in step 3 is selected and click Add Rule, to add a MAC ACL Rule.
5) Modify the following parameters and click Submit:
- Action: Make sure, that the option Deny is selected.
- Ethertype: Enter the value 8100. It represents VLAN-tagged Frames (802.1Q).
6) Add another MAC ACL Rule, modify the following parameters and click Submit:
- Action: Make sure, that the option Deny is selected.
- Ethertype: Enter the value 88A8. It represents the Service Tag VLAN Identifier.
7) Change to the tab Interfaces and click Add to select the switch ports where the communication is to be prevented.
8) Modify the following parameters and click Submit:
- Interface: Select the switch ports with tagging mode Access, where the VLAN communication is to be prevented (in this example 1/0/1 - 1/0/4).
- Direction: Make sure, that the option Inbound is selected.
- ACL Identifier: In the dropdown menu select the ACL Identifier used in step 3.
The communication must not be prevented on switch ports with the tagging modes Hybrid and Trunk as otherwise the VLAN communication won't be possible anymore!
9) After the configuration click on Save Configuration in the top right-hand corner to save the configuration as the start configuration.
The start configuration is retained even if the device is restarted or there is a power failure.
10) Acknowledge the save process by clicking OK .
Configuring the ACL via the LANCOM Management Cloud:
If the switch is managed via the LMC, it is recommended to configure the ACL via an addin script. You can use the attached addin script.
1) Import the addin script in the LMC and enter the switch ports where the tagging mode Access is used.
- Check in the webinterface, which switch ports use the tagging mode Access. Informations regarding the tagging mode Access can be found in this Knowledge Base article in step 2.2.
- Replace the INTERFACE-NUMBER by a switch port with the tagging mode Access (e.g. port 1/0/1).
- An own entry has to be used for each switch port. Therefore copy the marked rows in red for each port after the first and replace the INTERFACE-NUMBER by the corresponding port.
2) Assign the addin script to the switch and roll out the configuration.
You can find additional information regarding addin scripts under the following link.
