There are two main protection mechanism against attack on STP process, Protecting with Root Guard and Layer 2 Protecting with BPDU Guard. Let’s see how is that working…
Redundant links are always welcome in switch topology as they are increasing the network’s availability and robustness.
Redundant links, if we look at them from layer 2 perspective, can cause Layer 2 loops. This is simply because TTL (Time To Live) field of the packet is found in Layer 3 header and L2 doesn’t have such a field.
On L3, this means that TTL number will be diminished only when the packet is passing through the router. There is no way to “kill” a packet that is stuck in layer 2 loop. This situation can result in broadcast storms.
Fortunately, Spanning Tree Protocol (STP) can allow you to have redundant links while having a loop-free topology, thus preventing the potential for a broadcast storm.
In this article we will mitigate VLAN hopping by switch spoofing in the way that we will disable trunking on the ports who do not have to become trunk ports. Some Cisco switches ports default to auto mode for trunking. That means that the ports automatically become trunk ports if they receive Dynamic Trunking Protocol (DTP) frames on some of the switch ports.
VLAN hopping attack can be possible by two different approaches, Switch Spoofing or Double tagging.
When you are in a situation where you need to configure and set up the security of VLAN trunks, also consider the potential for an exploit called VLAN hopping.
An attacker can craft and send positioned frames on one access VLAN with spoofed 802.1Q tags so that the packet end up on a totally different VLAN and all this without the use of a router.
Address Resolution Protocol (ARP) cache is a table where router or computer is keeping Layer 2 MAC addresses to Layer 3 IP addresses mappings which hw resolved lately. Without MAC to IP mapping the device would not be able to build and send IP packets.
Device discovers the MAC to IP mapping using ARP protocol Broadcast requests on the local subnet and saves the mapping in the ARP cache. If a device wants to send a packet to a neighbour, and it doesn’t have a corresponding MAC address, it sends out a broadcast ARP request packet. This broadcast packet reaches every device on the local subnet. Everybody will receive that ARP request packet but only the one device with the IP address mentioned in ARP broadcast request packet responds back with an ARP response packet to complete the process.