New Member
Posts: 7
Registered: ‎12-11-2018
Kudos: 1
Solutions: 1
Accepted Solution

IP/IPv6 VLAN Isolation issue with UniFi Switch 8 Board Revision 24 (Vitesse Based)

Hi,

 

as suggested by support, I'm posting this potential VLAN/Layer3 isolation problem here, for the devs to comment on.

 

I have a new US8 Rev24, which is based on the Vitesse platform (instead of the previous Broadcom platform). On this switch, the management os has an virtual interface for every VLAN that is configured on the switch. Those interfaces seem to be created at provisioning time, but just the one in the manangement VLAN is actively configured. The other ones are just created and left alone in UP state. On all my VLANs IPv6 is available, some have SLAAC enable, some only RAs. The problem is now that the management OS sees those RAs and configures an default gateway/SLAAC IPv6 address on all those interfaces, which makes the Switch-OS directly accessible from clients in those VLANs, and in my case, on the external VLAN (ISP) accessible (v6 pingable) from the internet. "mcad" even binds to an "::" udp socket and is potentially reachable.

 

The problem may not be restricted to IPv6 if a potential attacker is creative (not tested). In any case, this is a severe layer3 isolation problem (at least IMO), that should be fixed.

 

As a workaround, those interface can manually be removed by logging into the switch via ssh. To remove the interface for VLAN 6/7:

 

ip link del dev vtss.vlan.6
ip link del dev vtss.vlan.7

 

The management interface gets renamed to eth0 at provisioning time, so it should not be possible to accidentally remove it.

 

Interfaces on this switch, public IPs have been removed, but you can see the autoconfigured ULA ones:

 

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: vtss.ifh: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 10400 qdisc fq_codel state UNKNOWN group default qlen 1000
    link/ether 32:2e:d0:5f:69:96 brd ff:ff:ff:ff:ff:ff
3: eth0: <BROADCAST,MULTICAST,ALLMULTI,PROMISC,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1
    link/ether fc:ec:da:bf:96:28 brd ff:ff:ff:ff:ff:ff
    inet 192.168.135.10/24 brd 192.168.135.255 scope global eth0
       valid_lft forever preferred_lft forever
    inet6 fe80::feec:daff:febf:9628/64 scope link 
       valid_lft forever preferred_lft forever
4: vtss.vlan.6: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1
    link/ether fc:ec:da:bf:96:28 brd ff:ff:ff:ff:ff:ff
    inet6 fd1f:18c4:4336:1126:feec:daff:febf:9628/64 scope global mngtmpaddr dynamic 
       valid_lft 6931sec preferred_lft 3331sec
    inet6 fe80::feec:daff:febf:9628/64 scope link 
       valid_lft forever preferred_lft forever
5: vtss.vlan.7: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1
    link/ether fc:ec:da:bf:96:28 brd ff:ff:ff:ff:ff:ff
    inet6 fd1f:18c4:4336:1127:feec:daff:febf:9628/64 scope global mngtmpaddr dynamic 
       valid_lft 7074sec preferred_lft 3474sec
    inet6 fe80::feec:daff:febf:9628/64 scope link 
       valid_lft forever preferred_lft forever

-Markus


Accepted Solutions
Ubiquiti Employee
Posts: 207
Registered: ‎06-14-2016
Kudos: 131
Solutions: 6

Re: IP/IPv6 VLAN Isolation issue with UniFi Switch 8 Board Revision 24 (Vitesse Based)

Hi @marwer ,

 

This beta firmware should fixed the IPv6 VLAN isolation issue, please let me know if the problem still persists.

 

FW version: gk-us8-ipv6
* USW-Multi | FW

 

Thanks.

View solution in original post

New Member
Posts: 7
Registered: ‎12-11-2018
Kudos: 1
Solutions: 1

Re: IP/IPv6 VLAN Isolation issue with UniFi Switch 8 Board Revision 24 (Vitesse Based)

Hi @UBNT-Simon 

 

I don't know why, but after unplugging MM-Sonos-0 for about 10m and replugging it, the problem is gone. I did not replug MM-Ganymed, but now I noticed, that it was plugged into port 4 all the time (MM-Sonos-0 in port 5) NOT the other way round as indicated on the older screenshots. Unplugging and replugging seems to have changed the switches/controllers idea where those two devices are plugged in.

 

unifi_topology_ok.png

 

I will keep an eye on it and post should it go crazy again.

 

Thanks for your patience.

 

-Markus

View solution in original post


All Replies
New Member
Posts: 8
Registered: ‎03-28-2019

Re: IP/IPv6 VLAN Isolation issue with UniFi Switch 8 Board Revision 24 (Vitesse Based)

I have just confirmed this on my network. One of the switches is indeed reachable from every vlan. According to "netstat -tulpen", this means the following two services are exposed:

 

udp        0      0 :::53566                :::*                                992/mcad

udp        0      0 :::42620                :::*                                682/switch_app

 

Ubiquiti Employee
Posts: 207
Registered: ‎06-14-2016
Kudos: 131
Solutions: 6

Re: IP/IPv6 VLAN Isolation issue with UniFi Switch 8 Board Revision 24 (Vitesse Based)

Hi @marwer ,

 

Thanks for the issue report, will investigate how to avoid the problem.

New Member
Posts: 7
Registered: ‎12-11-2018
Kudos: 1
Solutions: 1

Re: IP/IPv6 VLAN Isolation issue with UniFi Switch 8 Board Revision 24 (Vitesse Based)

A quick update:

 

It seems those interfaces DO have a purpose on this hardware platform. Without those, it seems, the switch isn't able to determine to which switch ports devices on tagged VLANs are connected. Those appear to be connected to the upstream switch (US8-60w in this case). Only the devices on the native VLAN (VM-Host) are correctly displayed in the map, those on VLAN tagged ones (VMs) are located on the upstream switch port.

 

To keep the port detection working, one currently MUST NOT remove those interfaces. Instead, I disabled IPv6 via sysctl on the switch. This is only a partial mitigation, since the interfaces are UP and it is possible (at least theoretically) to interact with the managment kernel. If iptables/nftables (or ebtables) where available on the system, all IP/IPv6 traffic could be blocked in the raw table. This way "mcad" (or "switch_app") could use the interface, but the OS would be mostly safe from any traffic.

 

-Markus

Ubiquiti Employee
Posts: 207
Registered: ‎06-14-2016
Kudos: 131
Solutions: 6

Re: IP/IPv6 VLAN Isolation issue with UniFi Switch 8 Board Revision 24 (Vitesse Based)

Hi @marwer ,

 

This beta firmware should fixed the IPv6 VLAN isolation issue, please let me know if the problem still persists.

 

FW version: gk-us8-ipv6
* USW-Multi | FW

 

Thanks.

New Member
Posts: 7
Registered: ‎12-11-2018
Kudos: 1
Solutions: 1

Re: IP/IPv6 VLAN Isolation issue with UniFi Switch 8 Board Revision 24 (Vitesse Based)

Yes, this fixes it. Interfaces are there, but have no IPv6 addresses. A quick tcpdump suggests that there are no router discovery packets originating from non management VLANs, too.

Thanks.
New Member
Posts: 7
Registered: ‎12-11-2018
Kudos: 1
Solutions: 1

Re: IP/IPv6 VLAN Isolation issue with UniFi Switch 8 Board Revision 24 (Vitesse Based)

[ Edited ]

@UBNT-GavinKe

 

 

Ubiquiti Employee
Posts: 207
Registered: ‎06-14-2016
Kudos: 131
Solutions: 6

Re: IP/IPv6 VLAN Isolation issue with UniFi Switch 8 Board Revision 24 (Vitesse Based)

Hi @marwer,

 

Can you please help to confirm if clients connected to this US8 all have port detection issue? or just Sonos?

Will see if it's replicable in our lab.

Thanks.

New Member
Posts: 7
Registered: ‎12-11-2018
Kudos: 1
Solutions: 1

Re: IP/IPv6 VLAN Isolation issue with UniFi Switch 8 Board Revision 24 (Vitesse Based)

Hi @UBNT-GavinKe 

 

yes, all ports have this problem. Non sonos devices mostly stick to the right ports, but not always. They sporadically jump between the real port and the uplinks of the two other US8s (US-1/US-2). The sonos device on the other hand never appears on the correct port. That may have to to something with STP BPDUs being emitted by it (although, with WiFi/SonosNet disabled, there is no need for STP). I enabled STP on a Linux device on this switch, but it did not have any visible effect. So the problem could be totally unrelated to STP. STP is disabled on the switches, since I need PXE-Boot to work reliably, which it only does with RSTP (conflicts with sonos) or completely disabled.

 

There are three switches (US-3 is the problematic one):

 

US8-1 <> US8-60W <> US8-3 <> US8-2

 

The 60w is the "root" switch (controller connected via a trunk port)

Ubiquiti Employee
Posts: 13
Registered: ‎08-09-2018
Kudos: 3

Re: IP/IPv6 VLAN Isolation issue with UniFi Switch 8 Board Revision 24 (Vitesse Based)

Hi @marwer ,

 

I tested the problem of incorrect port detection in our lab today and cannot replicate it, here's my test topology,

two UC8 switches are connected to my root switch US48PRO, topology is listed below,

Screen Shot 2019-04-12 at 6.30.07 PM.png

the clients report correctly, could you provide the screenshot of your network topology? that would be helpful, also it would be great to have your device info when the port detection error happened,  I need two device info, one is before the error happens and the other one is after the error happened.
The device info can be retrieved in Devices ---> UC8----->Config----->Manage Device------> Download device Info.
Screen Shot 2019-04-12 at 6.40.36 PM.png
Thanks in advance!

 

Best Regards,
Simon Huang

New Member
Posts: 7
Registered: ‎12-11-2018
Kudos: 1
Solutions: 1

Re: IP/IPv6 VLAN Isolation issue with UniFi Switch 8 Board Revision 24 (Vitesse Based)

Hi @UBNT-Simon 

 

This is the topology without clients:

 

unifi_topology_simple.png

 

The sonos device is currently connected to USW-US8-3, port 4. It shows mostly on USW-US8-1, port 1 sometimes on USW-US8-2, port 1 but never on any port of USW-US8-3. All other devices seem to stick to the correct port now, they don't visibly jump around any more.

 

unifi_topology_sonos0.png

 

I can't provide a device info of the before or correct state, since I never had one Man Wink But I will PM you those when the sonos device shows as connected to US8-1 and US8-2.

New Member
Posts: 7
Registered: ‎12-11-2018
Kudos: 1
Solutions: 1

Re: IP/IPv6 VLAN Isolation issue with UniFi Switch 8 Board Revision 24 (Vitesse Based)

Hi @UBNT-Simon 

 

I don't know why, but after unplugging MM-Sonos-0 for about 10m and replugging it, the problem is gone. I did not replug MM-Ganymed, but now I noticed, that it was plugged into port 4 all the time (MM-Sonos-0 in port 5) NOT the other way round as indicated on the older screenshots. Unplugging and replugging seems to have changed the switches/controllers idea where those two devices are plugged in.

 

unifi_topology_ok.png

 

I will keep an eye on it and post should it go crazy again.

 

Thanks for your patience.

 

-Markus

Ubiquiti Employee
Posts: 13
Registered: ‎08-09-2018
Kudos: 3

Re: IP/IPv6 VLAN Isolation issue with UniFi Switch 8 Board Revision 24 (Vitesse Based)

Thanks for providing the information and the detail, it is very helpful, let me know if it happens again, thank you.

 

Sincerely,

Simon Huang