VMware Cloud Community
erdemss
Contributor
Contributor

Are there any workarounds for vSwitch to allow double-tagged frames?

Hello all,

The topology goes like this:

node <--nx1G--> L2switch <--2x1G--> ESXi (5.1)

Unlike other setups of this type, configuring dot1q tunneling on switch causes problems with virtual machines, since vswitch self-assures that any double-tagged frame is an attack and must be dealt with swiftly. Not only have I come across this old thread (http://communities.vmware.com/thread/176962) but vSphere 5.1 documentation  also confirm this behavior still exists:

"Double-encapsulation attacks

Occur when an attacker creates a double-encapsulated packet in which the VLAN identifier in the inner tag is different from the VLAN identifier in the outer tag. For backward compatibility, native VLANs strip the outer tag from transmitted packets unless configured to do otherwise. When a native VLAN switch strips the outer tag, only the inner tag is left, and that inner tag routes the packet to a different VLAN than the one identified in the now-missing outer tag."

I'm not questining this to be the default behavior, however I strongly believe the lack of altering this behavior being problematic since it limits the vlan-ranges and numbering for large setups. Imagine you have multiple nodes while these nodes are also connected to other devices via the same L2 switch. We normally assign a vlan-id per connection and tunnel 1-4094 within, thus not limiting any users to a particular set of vlan/vlans.

My question is, is there any way to convince vSwitch that is OK to give way to double tagged frames?

Cheers,

Erdem

Tags (3)
Reply
0 Kudos
3 Replies
a_nut_in
Expert
Expert

Hey Erdem,

http://communities.vmware.com/message/1105065

Regards

a

Do remember to mark my post as "helpful" or "correct" if I've helped resolve or answer your query!
Reply
0 Kudos
erdemss
Contributor
Contributor

Hey there,

Thank you for your reply. I'm afraid this doesn't really solve the problem (although I admit could be considered a workaround), mainly because it involves installing (as far as I understand) a third party software on top of ESXi, costing financially and administratively.

Cheers,

Reply
0 Kudos
vmroyale
Immortal
Immortal

Note: Discussion successfully moved from VMware ESXi 5 to VMware vSphere™ vNetwork

Brian Atkinson | vExpert | VMTN Moderator | Author of "VCP5-DCV VMware Certified Professional-Data Center Virtualization on vSphere 5.5 Study Guide: VCP-550" | @vmroyale | http://vmroyale.com
Reply
0 Kudos