Mitigate VLAN hopping attack – Get rid of Layer 2 attacks

In this article we will mitigate VLAN hopping by switch spoofing in the way that we will disable trunking on the ports who do not have to become trunk ports. Some Cisco switches ports default to auto mode for trunking. That means that the ports automatically become trunk ports if they receive Dynamic Trunking Protocol (DTP) frames on some of the switch ports. This is big security problem because attacker can make his switch port become trunk and then he can easily perform VLAN hopping attacks. He can gain access to all VLANs on the switch without the need to route packets through router.

Prevent switch spoofing

To make switch spoofing impossible, you can disable trunking on all ports that do not need to form trunks, and disable DTP on ports that do need to be trunks.

Disabling Trunking:

Switch1(config)# interface gigabitethernet 0/3
Switch1(config-if)# switchport mode access
Switch1(config-if)# exit

Preventing the Use of DTP

Switch1(config)# interface gigabitethernet 0/4
Switch1(config-if)# switchport trunk encapsulation dot1q
Switch1(config-if)# switchport mode trunk
Switch1(config-if)# switch port nonegotiate

Prevent double tagging

To help prevent a VLAN hopping attack using double tagging, do not use the native VLAN to send user traffic. You can do this by creating a VLAN  that does not have any ports added. This unused VLAN is only for the native VLAN assignment. Configuration on a Cisco switch is shown in which the native VLAN has been set to an unused VLAN.

Switch1(config)# interface gigabitethernet 0/4
Switch1(config-if)# switchport trunk native vlan 400

Leave a Reply