Junos OS

 View Only
last person joined: 2 days ago 

Ask questions and share experiences about Junos OS.

QFX5100 triple tag VLAN switching broken when popping outside tag (and random VLAN packet security leak)

  • 1.  QFX5100 triple tag VLAN switching broken when popping outside tag (and random VLAN packet security leak)

    Posted 04-08-2022 19:48

    Other device A -> xe-0/0/1 (NNI) QFX5100 with Junos 21.4R1.12  xe-0/0/1 (UNI) -> Other device B


    QFX5100 configured as follows:


    # show interfaces xe-0/0/0

    description NNI

    flexible-vlan-tagging;

    encapsulation flexible-ethernet-services;

    unit 111 {

        encapsulation vlan-bridge;

        vlan-tags outer 111;

    }

    # show interfaces xe-0/0/1

    description UNI

    flexible-vlan-tagging;

    encapsulation flexible-ethernet-services;

    unit 111 {

        encapsulation vlan-bridge;

        vlan-id-list 220-230;

        input-vlan-map {

            push;

            vlan-id 111;

        }

        output-vlan-map pop;

    }

    # show vlans tag-111

    interface xe-0/0/0.111;

    interface xe-0/0/1.111;

    Packet (1) ingress into xe-0/0/0

    A > ff:ff:ff:ff:ff:ff, ethertype 802.1Q-QinQ (0x88a8), length 72: vlan 111, p 0, ethertype 802.1Q-QinQ, vlan 222, p 0, ethertype 802.1Q, vlan 333, p 0, ethertype PPPoE D, PPPoE PADI [Service-Name]

    Packet (1) egress out of xe-0/0/1

    A > ff:ff:ff:ff:ff:ff, ethertype 802.1Q-QinQ (0x88a8), length 68: vlan 222, p 0, ethertype 802.1Q, vlan 333, p 0, ethertype PPPoE D, PPPoE PADI [Service-Name]

    Note VLAN 111 has correctly been popped from the packet. It is now two-tag QinQ.

    Packet (2) ingress into xe-0/0/1

    B > A, ethertype 802.1Q-QinQ (0x88a8), length 72: vlan 222, p 0, ethertype 802.1Q, vlan 333, p 0, ethertype PPPoE D, PPPoE PADO [AC-Name "abc"] [Service-Name] [AC-Cookie 123]

    Two tag QinQ packet going into xe-0/0/1 which is expected to have vlan-id 111 pushed onto the stack.

    Packet (2) egress from xe-0/0/0

    B >A, ethertype 802.1Q (0x8100), length 76: vlan 15, p 0, ethertype 802.1Q-QinQ, vlan 222, p 0, ethertype 802.1Q, vlan 333, p 0, ethertype PPPoE D, PPPoE PADO [AC-Name "abc"] [Service-Name] [AC-Cookie 123]

    Note packet has vlan-id 15 on the outside third tag, not vlan-id 111 as is supposed to be pushed. I have no idea where vlan-id 15 has come from. It's not configured anywhere on the switch.

    This is both a functionality bug (as it's broken switching path) and security issue as it allows ports access to non-permitted VLANs with random packets.

    I do not understand how the QFX platform is so bad at basic Ethernet switching functions.