A malicious user can easily gain access to data on another VLAN to which he is not authorised to access using VLAN hopping. A VLAN Hoping attack can be launched by using a Switch Spoofing or Double Tagging of 802.1q trunking protocol. To have a quick insight into VLAN Hopping, click here.
You can prevent VLAN Hopping in Cisco Switches as follows:
1. Prevent VLAN Hopping attacks using Switch Spoofing
In this form of VLAN Hopping attack, the simplest solution would be to disable "Dynamic Trunking Protocol (DTP)" on all untrusted ports, mostly imporantly on the access switches where end users connect their devices and gain access to network.
This can be done by
ciscoswitch# conf t
ciscoswitc(config)# int gi1/10
ciscoswitch(config-if)# switchport nonegotiate
In the above, the "switchport nonegotiate" command on interface "gi1/10" disable the DTP. So, the switchport will not negotiate trunking on the link.
An even more better option would be to explicitly coonfigure the port as a access port by which eliminates any fears of trunking on the port (assuming you are aware of the fact that there isn't going to be a need for that port to act as a trunking port)
ciscoswitch(config-if)# switchport mode access
This disables trunking and DTP on the port and marks it as an access port only.
2. Prevent VLAN Hopping attacks using Double Encapsulation (Double Tagging)
Use a isolated VLAN as a native VLAN for the trunks which is used for tunnel traffic only and not for any other traffic as the trunk port strips the VLAN tag and passes it as untagged traffic.
If you're new here, you may want to subscribe to my RSS feed. Thanks for visiting!
Non-negotiate prevents negotiation of a trunk (Duh!) – The surprise gotcha is that’s because it accepts tagged frames by default – It’s most often seen on uplinks to VMware hosts where fast recovery is needed/ desired.
It’s also sometimes seen on access switches being used with VoIP phones that struggle to successfully negotiate their Voice VLAN…
Switchport mode access appears to be more “Assertive”, but as mentioned above, it also accepts framed packets if there’s a voice VLAN configured. See “CDP Attacks” for info on how that can make life miserable.
In either case – Pro tip, it’s always a good idea to manually limit the VLANs permitted on a given Truck – And if you haven’t recently go and check your switches for mistakes or the results of someone getting around you without you noticing.*