Switches, Hubs, and Modems
cancel
Showing results for 
Search instead for 
Did you mean: 

5412zl - Forbid Command Does Not Function As Expected

Ken Douglas_1
Occasional Visitor

5412zl - Forbid Command Does Not Function As Expected

Just wanted to see if anyone else has experienced this issue. We have a number of 5412zl switches running firmware version K.12.51. We have two VLANs configured; VLAN 1, DEFAULT_VLAN (set up as the "authorized" VLAN) and VLAN 99 DSL_VLAN(a public Internet "unauthorized" access VLAN).

We have a set of ports that belong to VLAN 99; L19-L24. We never want devices on these ports to be able to join VLAN 1. Our VLAN configuration is set up as:

vlan 1
name "DEFAULT_VLAN"
forbid D1-D22,L19-L24
untagged A1-A24,B1-B20,B23-B24,C1-C22,C24,E11-E24,J1-J24,K1-K24,L1-L18,Trk1-Trk2,Trk17,Trk20,
Trk22,Trk24,Trk26
ip address 172.16.1.2 255.255.0.0
exit
vlan 99
name "DSL_VLAN"
untagged L19-L24
tagged Trk1-Trk2,Trk17,Trk20,Trk22,Trk24,Trk26
no ip address
exit

Note the "forbid" statement in VLAN 1. This should prevent ports L19-L24 from ever joining VLAN 1.

We also had an admin experimenting with 802.1x (which we've pretty much given up on). But we had the following statements left in the configuration:

aaa port-access authenticator L19 auth-vid 1
aaa port-access authenticator L19 unauth-vid 99
aaa port-access authenticator L20 auth-vid 1
aaa port-access authenticator L20 unauth-vid 99
aaa port-access authenticator L21 auth-vid 1
aaa port-access authenticator L21 unauth-vid 99
aaa port-access authenticator L23 auth-vid 1
aaa port-access authenticator L23 unauth-vid 99
aaa port-access authenticator L24 auth-vid 1
aaa port-access authenticator L24 unauth-vid 99
aaa port-access authenticator active

While attempting to troubleshoot a DSL problem I connected a laptop to port 21. This laptop has a certificate to join our domain, but because of the "forbid" statement in the VLAN 1 configuration, I never expected to authenticate to VLAN 1. Yet, connecting to L21, I clearly had access to our entire private LAN.

I spent an hour trying to figure out how I could possibly be connecting to VLAN 1 with that forbid statement.

Finally, I removed the port authenticator statement for port 21 and was no longer a member of VLAN 1(after disconnecting and reconnecting).

I consider this to be a MAJOR security threat. While the admin who failed to clean up after testing was clearly not completing their job, I would never expect this type of problem with the "forbid" statement configured.

Has anyone else seen this problem?
4 REPLIES
Pieter 't Hart
Honored Contributor

Re: 5412zl - Forbid Command Does Not Function As Expected

the forbid-statement is documented for "static" vlan assignment.

As the authenticator command is probably treated as dynamic vlan assignement, forbid had no effect.

regards,
Pieter
cenk sasmaztin
Honored Contributor

Re: 5412zl - Forbid Command Does Not Function As Expected

hi Ken
please send me all sh run print
and I make new config for you

(no need forbit command)

cenk

Matt Hobbs
Honored Contributor

Re: 5412zl - Forbid Command Does Not Function As Expected

As far as I know, Forbid is really an option to be used with GVRP.

Having said that though, I believe with an upcoming K.13.xx release there will be a change to how GVRP/Forbid and 802.1x operate.

Re: 5412zl - Forbid Command Does Not Function As Expected

Do you know the details of that change ? I know that a fix is going in for GVRP disabled edge ports and 802.1X.