Subscribe
How to prevent VLAN Hopping in Cisco Switches
Posted on Apr 17, 2008 under Cisco, Security |Tags:802.1Q Cisco Double-Tagging Security-Exploit switch-spoofing Tunnel vlan VLAN-Hopping
A malicious user can easily gain access to data on another VLAN to which he is not authorised to access using VLAN hopping. A VLAN Hoping attack can be launched by using a Switch Spoofing or Double Tagging of 802.1q trunking protocol. To have a quick insight into VLAN Hopping, click here.
You can prevent VLAN Hopping in Cisco Switches as follows:
1. Prevent VLAN Hopping attacks using Switch Spoofing
In this form of VLAN Hopping attack, the simplest solution would be to disable "Dynamic Trunking Protocol (DTP)" on all untrusted ports, mostly imporantly on the access switches where end users connect their devices and gain access to network.
This can be done by
ciscoswitch# conf t
ciscoswitc(config)# int gi1/10
ciscoswitch(config-if)# switchport nonegotiate
In the above, the "switchport nonegotiate" command on interface "gi1/10" disable the DTP. So, the switchport will not negotiate trunking on the link.
An even more better option would be to explicitly coonfigure the port as a access port by which eliminates any fears of trunking on the port (assuming you are aware of the fact that there isn't going to be a need for that port to act as a trunking port)
ciscoswitch(config-if)# switchport mode access
This disables trunking and DTP on the port and marks it as an access port only.
2. Prevent VLAN Hopping attacks using Double Encapsulation (Double Tagging)
Use a isolated VLAN as a native VLAN for the trunks which is used for tunnel traffic only and not for any other traffic as the trunk port strips the VLAN tag and passes it as untagged traffic.
If you're new here, you may want to subscribe to my RSS feed. Thanks for visiting!
Leave a comment