Category: Networking

CDP – Cisco Discovery Protocol is a powerful network monitoring and troubleshooting tool for Cisco devices. CDP is a tool used by network administrators to see information about directly connected Cisco devices. CDP is a tool that enables you to access a summary of protocol and see information about Cisco devices that are connected. Each Cisco device sends periodic messages. These are known as CDP advertisements. Cisco device is sending them to other directly connected Cisco devices. These advertisements contain information about the types of devices that are connected, IP configuration of devices on other side, interfaces they are connected to, the interfaces used to make the connections, and the model numbers of the devices.

There are two main protection mechanism against attack on STP process, Protecting with Root Guard and Layer 2 Protecting with BPDU Guard. Let’s see how is that working…

Redundant links are always welcome in switch topology as they are increasing the network’s availability and robustness.

Redundant links, if we look at them from layer 2 perspective, can cause Layer 2 loops. This is simply because TTL (Time To Live) field of the packet is found in Layer 3 header and L2 doesn’t have such a field.

On L3, this means that TTL number will be diminished only when the packet is passing through the router. There is no way to “kill” a packet that is stuck in layer 2 loop. This situation can result in broadcast storms.

Fortunately, Spanning Tree Protocol (STP) can allow you to have redundant links while having a loop-free topology, thus preventing the potential for a broadcast storm.

In this article we will mitigate VLAN hopping by switch spoofing in the way that we will disable trunking on the ports who do not have to become trunk ports. Some Cisco switches ports default to auto mode for trunking. That means that the ports automatically become trunk ports if they receive Dynamic Trunking Protocol (DTP) frames on some of the switch ports.

VLAN hopping attack can be possible by two different approaches, Switch Spoofing or Double tagging.

When you are in a situation where you need to configure and set up the security of VLAN trunks, also consider the potential for an exploit called VLAN hopping.

An attacker can craft and send positioned frames on one access VLAN with spoofed 802.1Q tags so that the packet end up on a totally different VLAN and all this without the use of a router.