Photo by Jordan Harrison on Unsplash

Ode To The IEEE Protocols … Here’s 802.1Q and 802.1X

--

Around the turn of the century, I wrote two major books ... The Handbook of The Internet and the Handbook of Data Communications. These were written in the days before the large-scale access to information on the Web, so I used to spend hours reading books, and sourcing them wherever I could find them. The access to knowledge was basically from the printed page. I thus tried to learn everything about all the related topics.

So, I’m dusting off a few things and trying to do a little bit of jargon-busting for the protocols that really matter in cybersecurity. For this article, we will look at IEEE 801Q and IEEE 802.1X. I strongly believe that practice improves knowledge, so I have included practical examples of configuring these protocols using Cisco devices.

The IEEE and its standards

It’s amazing. We built the most amazing machine ever created … in just a few decades … the Internet. How? With network protocols. With every hurdle for connectivity, reliability and speed, we have overcome, and now, at home, you might now be connecting to nearly a 1Gbps link. The core of main networks was often created by the mighty Ethernet (IEEE 802.3), and which allows two nodes to communicate with each other, and pass data packets (often IP). These data packets then carry data segments (TCP), which can be rebuilt back to our data stream. It all works so well.

But we must thank the IEEE for all the work they did on standardizing the protocols involved, so we could connect hosts that used different hardware and software. So, let’s do a bit of acronym busting, and look at two great advancements that were defined by the IEEE … 802.1Q (VLAN spanning) and 802.1X (authorization of ports).

Both of these relate to the connection of devices to a Layer 2 device (such as a switch or a wireless access point). And where we can have switched (rather than routed) connections. As much as possible, we want communications to stay at Layer 2, as we can multiply up the bandwidth. Once we get to Layer 3, the whole communication process slows down (unless we have a Layer 3 switch — and which is a whole other area).

802.1Q

Nodes within a VLAN can directly communicate with each other, nodes which are outside the VLAN cannot communicate directly — even though they connect to the same switch. But, what if we have nodes which connect in the same VLAN, but connect to different switches? Well, this is where we use IEEE 802.1Q (Dot1q). With this we can add a VLAN tagging to the Ethernet frame, and which can then be forwarded to other switches for them to pick up the VLAN information. In this way, we can keep the communications at Layer 2.

To configure the trunk port for the 1Q communications, we assign one of our ports on the VLAN to a VLAN number and then enable the trunk protocol. In the example below, we assign FA0/1 (the port on the network switch) to be out VLAN trunk port, and add it to VLAN number 3:

> enable
# config t
(config)# int vlan 3
(config-vlan)# exit
(config)# int fa0/1
(config-if)# switchport access vlan 3
(config-if)# switchport mode dot1q-tunnel
(config-if)# exit
(config)# vlan dot1q tag native

You can try it yourself, here:

https://asecuritysite.com/cisco/dot1q

802.1X

The IEEE 802.1X (dot1x) protocol allows for a Port-Based Authentication method that can stop unauthorized devices from connecting to a network switch. It can provide both authentication and authorization services for network ports on a switch/wireless access point. For this we can have a supplicant (the device which is trying to connect to the network and which passes its credentials), an authenticator (the device which authorizes the device onto the network) and an authentication server (which checks the credentials, and authorizes the device — typically this is a RADIUS server).

In the following, we setup AAA (Authentication, Authorization and Accounting) on the switch, and the define the IP address of the RADIUS authentication server (10.0.0.1 on Port 1812). This authentication is then applied to the FA0/1 port, so that a user must provide their credentials to connect to the network:

(config)# aaa new-model
(config)# aaa accounting connection default start-stop group radius
(config)# aaa accounting network default start-stop group radius
(config)# aaa authentication dot1x default group radius local
(config)# dot1x system-auth-control
(config)# radius-server host 10.0.0.1 auth-port 1812 key test
(config)# int fa0/1
(config-if)# switchport mode access
(config-if)# dot1x port-control auto
(config-if)# dot1x re-authentication
(config-if)# dot1x timeout reauth-period 180
(config-if)# dot1x timeout tx-period 40
(config-if)# dot1x timeout quiet-period 10
(config-if)# dot1x max-req 3

You can try it yourself, here:

https://asecuritysite.com/cisco/dot1x

Conclusions

Oh, go on, get behind those pesky acronyms, and learn a bit about the core of cybersecurity … networking and network protocols:

https://asecuritysite.com/cisco

--

--

Prof Bill Buchanan OBE FRSE
ASecuritySite: When Bob Met Alice

Professor of Cryptography. Serial innovator. Believer in fairness, justice & freedom. Based in Edinburgh. Old World Breaker. New World Creator. Building trust.