Mitigating VLAN attacks
There are 3 ways how a VLAN hopping attack can be executed
| Method 1 |
| An attacker can spoof DTP messages from the attacking host to make the switch enter trunking mode. Then the attacker can send traffic which is tagged with the target VLAN ID, making the switch deliver the packets to the destination |
| Method 2 |
| A rouge switch may be introduced with trunking mode enabled. The attacker will be able to access all the VLANs on the victim switch from his rogue switch |
| Method 3 |
| An attacker may also use the double-tagging (aka. double-encapsulated) method. Such an attack takes advantage of the way the hardware on a switch operates |
Luckily, there are preventive measures which can be applied to mitigate VLAN hopping attacks in 5 simple steps:
| Step 1 |
| Disabling DTP (auto trunking) negotiations on non-trunking interfaces |
| Step 2 |
| Administratively Disabling unused ports/interfaces and placing them in an unused VLAN |
| Step 3 |
| Manually enabling the trunk link on a trunking port |
| Step 4 |
| Disabling DTP (auto trunking) negotiations on trunking ports |
| Step 5 |
| Configuring the native VLAN to be a VLAN other than the default VLAN 1 |
Disabling DTP (auto trunking) negotiations on non-trunking interfaces
S1(config)# interface range [interfaces] S1(config-if-range)# switchport mode access
Administratively Disabling unused ports/interfaces and placing them in an unused VLAN
S1(config)# interface range [interfaces] S1(config-if-range)# switchport access vlan [vlan] S1(config-if-range)# shutdown
Manually enabling the trunk link on a trunking port
S1(config)# interface range [interfaces] S1(config-if-range)# switchport mode trunk
Disabling DTP (auto trunking) negotiations on trunking ports
S1(config-if-range)# switchport nonegotiate
Configuring the native VLAN to be a VLAN other than the default VLAN 1
S1(config-if-range)# switchport trunk native vlan [native vlan] S1(config-if-range)# exit S1(config)# exit
VLAN Mitigation preventive measures Complete Configuration Example
S1> enable S1# configure terminal S1(config)# S1(config)# interface range fa0/3 - 20 S1(config-if-range)# switchport mode access S1(config-if-range)# exit S1(config)# S1(config)# interface range fa0/21 - 24 S1(config-if-range)# switchport mode access S1(config-if-range)# switchport access vlan 2500 S1(config-if-range)# shutdown S1(config-if-range)# exit S1(config)# S1(config)# interface range fa0/1 - 2 S1(config-if-range)# switchport mode trunk S1(config-if-range)# switchport nonegotiate S1(config-if-range)# switchport trunk native vlan 100 S1(config-if-range)# exit S1(config)# exit S1#
– FastEthernet ports 0/3 to 0/20 are configured to be access ports thus trunking is immediately disabled.
– FastEthernet ports 0/21 to 0/24 are unused ports so they have been assigned to an unused VLAN (ex.2500 in this case) and also administratively shut down.
– FastEthernet ports 0/1 to 0/2 are trunk links and were manually enabled as Trunks and DTP has been disabled on such interfaces.
– Finally, notice how the native VLAN was changed from the default VLAN1 to a different ID (100).