Mitigate VLAN Hopping Attacks

Mitigate VLAN Hopping Attacks
Mitigate VLAN Hopping Attacks

In this article we will talk about Mitigate VLAN Hopping Attacks, and in previous article we already discussed about GRE over IPsec.

Steps to Mitigate VLAN Hopping Attacks

Use the following steps to mitigate VLAN hopping attacks:

Step 1: Disable DTP (auto trunking) negotiations on non-trunking ports by using the switchport mode access interface configuration command.

Step 2: Disable unused ports and put them in an unused VLAN.

Step 3: Manually enable the trunk link on a trunking port by using the switchport mode trunk command.

Step 4: Disable DTP (auto trunking) negotiations on trunking ports by using the switchport nonegotiate command.

Step 5: Set the native VLAN to a VLAN other than VLAN 1 by using the switchport trunk native vlan vlan_number command.

For example, assume the following:

  • FastEthernet ports 0/1 through fa0/16 are active access ports
  • FastEthernet ports 0/17 through 0/20 are not currently in use
  • FastEthernet ports 0/21 through 0/24 are trunk ports.

VLAN hopping can be mitigated by implementing the following configuration.

S1(config)# interface range fa0/1 - 16
S1(config-if-range)# switchport mode access
S1(config-if-range)# exit
S1(config)# 
S1(config)# interface range fa0/17 - 20
S1(config-if-range)# switchport mode access
S1(config-if-range)# switchport access vlan 1000
S1(config-if-range)# shutdown
S1(config-if-range)# exit
S1(config)# 
S1(config)# interface range fa0/21 - 24
S1(config-if-range)# switchport mode trunk
S1(config-if-range)# switchport nonegotiate
S1(config-if-range)# switchport trunk native vlan 999
S1(config-if-range)# end
S1#
  • FastEthernet ports 0/1 to 0/16 are access ports and therefore trunking is disabled by explicitly making them access ports.
  • FastEthernet ports 0/17 to 0/20 are unused ports and are disabled and assigned to an unused VLAN.
  • FastEthernet ports 0/21 to 0/24 are trunk links and are manually enabled as trunks with DTP disabled. The native VLAN is also changed from the default VLAN 1 to an unused VLAN 999.

Mitigate VLAN hopping attacks on the switch based on the specified requirements.

You are currently logged into S1. The ports status of the ports are as follows:

  • FastEthernet ports 0/1 through 0/4 are used for trunking with other switches.
  • FastEthernet ports 0/5 through 0/10 are unused.
  • FastEthernet ports 0/11 through 0/24 are active ports currently in use.

Use range fa0/1 – 4 to enter interface configuration mode for the trunks.S1(config)#interface range fa0/1 – 4

Configure the interfaces as nonnegotiating trunks assigned to default VLAN 99.S1(config-if-range)#switchport mode trunkS1(config-if-range)#switchport nonegotiateS1(config-if-range)#switchport trunk native vlan 99

S1(config-if-range)# exit

Use range fa0/5 – 10 to enter interface configuration mode for the unused ports.S1(config)#interface range fa0/5 – 10

Configure the unused ports as access ports, assign them to VLAN 86, and shutdown the ports.S1(config-if-range)#switchport mode accessS1(config-if-range)#switchport access vlan 86

% Access VLAN does not exist. Creating vlan 86

S1(config-if-range)#shutdown

*Mar  1 00:28:48.883: %LINK-5-CHANGED: Interface FastEthernet0/5, changed state to administratively down
*Mar  1 00:28:48.900: %LINK-5-CHANGED: Interface FastEthernet0/6, changed state to administratively down
*Mar  1 00:28:48.908: %LINK-5-CHANGED: Interface FastEthernet0/7, changed state to administratively down
*Mar  1 00:28:48.917: %LINK-5-CHANGED: Interface FastEthernet0/8, changed state to administratively down
*Mar  1 00:28:48.942: %LINK-5-CHANGED: Interface FastEthernet0/9, changed state to administratively down
*Mar  1 00:28:48.950: %LINK-5-CHANGED: Interface FastEthernet0/10, changed state to administratively down
*Mar  1 00:28:49.890: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/5, changed state to down
*Mar  1 00:28:49.907: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/6, changed state to down
S1(config-if-range)# exit

Use range fa0/11 – 24 to enter interface configuration mode for the active ports and then configure them to prevent trunking.S1(config)#interface range fa0/11 – 24S1(config-if-range)#switchport mode access

S1(config-if-range)# end
S1#
You have successfully mitigated VLAN hopping attacks on this switch.

2 Trackbacks / Pingbacks

  1. Creating PDUs in Simulation Mode - Cisco Education
  2. Endpoint Protection - Cisco Education

Leave a Reply

Your email address will not be published.


*