Switching

 View Only
last person joined: 3 days ago 

Ask questions and share experiences about EX and QFX portfolios and all switching solutions across your data center, campus, and branch locations.

QFX5100 triple tag VLAN switching broken when popping outside tag (and random VLAN packet security leak)

  • 1.  QFX5100 triple tag VLAN switching broken when popping outside tag (and random VLAN packet security leak)

    Posted 04-08-2022 19:48

    Other device A -> xe-0/0/1 (NNI) QFX5100 with Junos 21.4R1.12  xe-0/0/1 (UNI) -> Other device B


    QFX5100 configured as follows:


    # show interfaces xe-0/0/0

    description NNI

    flexible-vlan-tagging;

    encapsulation flexible-ethernet-services;

    unit 111 {

        encapsulation vlan-bridge;

        vlan-tags outer 111;

    }

    # show interfaces xe-0/0/1

    description UNI

    flexible-vlan-tagging;

    encapsulation flexible-ethernet-services;

    unit 111 {

        encapsulation vlan-bridge;

        vlan-id-list 220-230;

        input-vlan-map {

            push;

            vlan-id 111;

        }

        output-vlan-map pop;

    }

    # show vlans tag-111

    interface xe-0/0/0.111;

    interface xe-0/0/1.111;

    Packet (1) ingress into xe-0/0/0

    A > ff:ff:ff:ff:ff:ff, ethertype 802.1Q-QinQ (0x88a8), length 72: vlan 111, p 0, ethertype 802.1Q-QinQ, vlan 222, p 0, ethertype 802.1Q, vlan 333, p 0, ethertype PPPoE D, PPPoE PADI [Service-Name]

    Packet (1) egress out of xe-0/0/1

    A > ff:ff:ff:ff:ff:ff, ethertype 802.1Q-QinQ (0x88a8), length 68: vlan 222, p 0, ethertype 802.1Q, vlan 333, p 0, ethertype PPPoE D, PPPoE PADI [Service-Name]

    Note VLAN 111 has correctly been popped from the packet. It is now two-tag QinQ.

    Packet (2) ingress into xe-0/0/1

    B > A, ethertype 802.1Q-QinQ (0x88a8), length 72: vlan 222, p 0, ethertype 802.1Q, vlan 333, p 0, ethertype PPPoE D, PPPoE PADO [AC-Name "abc"] [Service-Name] [AC-Cookie 123]

    Two tag QinQ packet going into xe-0/0/1 which is expected to have vlan-id 111 pushed onto the stack.

    Packet (2) egress from xe-0/0/0

    B >A, ethertype 802.1Q (0x8100), length 76: vlan 15, p 0, ethertype 802.1Q-QinQ, vlan 222, p 0, ethertype 802.1Q, vlan 333, p 0, ethertype PPPoE D, PPPoE PADO [AC-Name "abc"] [Service-Name] [AC-Cookie 123]

    Note packet has vlan-id 15 on the outside third tag, not vlan-id 111 as is supposed to be pushed. I have no idea where vlan-id 15 has come from. It's not configured anywhere on the switch.

    This is both a functionality bug (as it's broken switching path) and security issue as it allows ports access to non-permitted VLANs with random packets.

    I do not understand how the QFX platform is so bad at basic Ethernet switching functions.