Wired & Wireless broadcasts on the same VLAN
Last Post: December 7, 2010:
-
I have a question regarding wired and wireless devices operating on the same VLAN. First off, I know this isn't a good practice but it was brought to my attention by someone and made me do a little thinking. I know that when two wireless devices communicate via a broadcast and encryption is used, the GTK encrypts the broadcast/multicast traffic between the wireless client and the AP but what happens if a wired device sends out a broadcast on the same VLAN as the wireless devices? Will the AP encrypt the wired broadcast before it becomes air born? For some reason, I don?t think so. The wired client and the AP do not share an encrypting relationship... correct? In other words, is there a potential for wired leakage (using even the most secure WPA2/AES encryption between wireless clients and APs) with wired devices on the same VLAN?
-
I'm going to answer my own question here - I believe the answer is IT DEPENDS. If the wired broadcast is a L2 broadcast (a L2 protocol like CDP) then it will be seen over the air because wireless encryption only encrypts the MSDU (L3+). So it's best practice to disable all L2 protocols like CDP (Cisco Discovery Protocol) that can potentially make their way over the air. Am I correct in saying this?
-
stevea, I'm trying to run a setup, to learn a few things regarding your thought experiment, but I am using the Omnipeek Enterprise (that Wildpackets sent me for the CWSP CD exercises), and cannot seem to get any MAC (L2 only) frames, even beacons, auth, assoc etc.that should be all over the air in a busy university library with ~300 online clients ( I can see that with the Norton Network Security Map). All I get are L3 packets with TCP/IP data. When I set the filter to MAC frames only, out of millions of captures..not one MAC frame. Any comments??
-
OK, Omnipeek support said it depends on the Wifi adapter, whether it can support MAC frame capture.
-
I use Proxim Orinoco Gold a/b/g combo card, and it works fine - PCMCIA.
-
To the original question, no, that is incorrect. A broadcast wired frame that will eventually be transmitted on the wireless medium will undergo MAC translation. In other words, the Media Access Control protocol that carries higher layer protocols will change to 802.11, likely from 802.3. If we're talking about a "L2" protocol like ARP or CDP, those protocols will become the encrypted payload of an 802.11 data frame, which will be encrypted using the GTK. 802.11 encryption pertains only to the wireless medium and operates the same way regardless of the source of the data. The frame arrives (unencrypted) at the AP to be transmitted on the wireless medium and the AP then applies encryption rules according to the frame rules and addressee(s).
Though it was outside the scope of your original question, best practices usually recommend disabling broadcast traffic from the wired to the wireless medium (if your vendor supports this) because wireless clients rarely serve any broadcast functions for wired users. So, you may find that these L2 broadcast frames are always blocked by virtue of their uselessness on the wireless medium. :)
-
Marcue Burton,
Thanks for the reply! That makes perfect sense.
-
Ronald Yu,
Yes, it does depend on your wireless adapter. I use the same Orinoco Gold a/b/g combo card (PCMCIA) and it works perfectly. You can usually get it on eBay for cheap.
- 1