Mitigate VLAN Attacks
Summary
This topic explain how to configure DTP and native VLAN to mitigate VLAN attacks. Start learning CCNA 200-301 for free right now!!
Table of Contents
VLAN Attacks Review
As a quick review, a VLAN hopping attack can be launched in one of three ways:
- Spoofing DTP messages from the attacking host to cause the switch to enter trunking mode. From here, the attacker can send traffic tagged with the target VLAN, and the switch then delivers the packets to the destination.
- Introducing a rogue switch and enabling trunking. The attacker can then access all the VLANs on the victim switch from the rogue switch.
- Another type of VLAN hopping attack is a double-tagging (or double-encapsulated) attack. This attack takes advantage of the way hardware on most switches operate.
Steps to Mitigate VLAN Hopping Attacks
Use the following steps to mitigate VLAN hopping attacks:
Step 1: Disable DTP (auto trunking) negotiations on non-trunking ports by using the switchport mode access interface configuration command.
Step 2: Disable unused ports and put them in an unused VLAN.
Step 3: Manually enable the trunk link on a trunking port by using the switchport mode trunk command.
Step 4: Disable DTP (auto trunking) negotiations on trunking ports by using the switchport nonegotiate command.
Step 5: Set the native VLAN to a VLAN other than VLAN 1 by using the switchport trunk native vlan vlan_number command.
For example, assume the following:
- FastEthernet ports 0/1 through fa0/16 are active access ports
- FastEthernet ports 0/17 through 0/24 are not currently in use
- FastEthernet ports 0/21 through 0/24 are trunk ports.
VLAN hopping can be mitigated by implementing the following configuration.
S1(config)# interface range fa0/1 - 16 S1(config-if-range)# switchport mode access S1(config-if-range)# exit S1(config)# S1(config)# interface range fa0/17 - 20 S1(config-if-range)# switchport mode access S1(config-if-range)# switchport access vlan 1000 S1(config-if-range)# exit S1(config)# S1(config)# interface range fa0/21 - 24 S1(config-if-range)# switchport mode trunk S1(config-if-range)# switchport nonegotiate S1(config-if-range)# switchport trunk native vlan 999 S1(config-if-range)# end S1#
- FastEthernet ports 0/1 to 0/16 are access ports and therefore trunking is disabled by explicitly making them access ports.
- FastEthernet ports 0/17 to 0/20 are unused ports and are disabled and assigned to an unused VLAN.
- FastEthernet ports 0/21 to 0/24 are trunk links and are manually enabled as trunks with DTP disabled. The native VLAN is also changed from the default VLAN 1 to an unused VLAN 999.
Syntax Checker – Mitigate VLAN Hopping Attacks
You are currently logged into S1. The ports status of the ports are as follows:
- FastEthernet ports 0/1 through 0/4 are used for trunking with other switches.
- FastEthernet ports 0/5 through 0/10 are unused.
- FastEthernet ports 0/11 through 0/24 are active ports currently in use.
Use range fa0/1 – 4 to enter interface configuration mode for the trunks.
S1(config)#interface range fa0/1 - 0/4
Configure the interfaces as nonnegotiating trunks assigned to default VLAN 99.
S1(config-if-range)#switchport mode trunk S1(config-if-range)#switchport nonegotiate S1(config-if-range)#switchport trunk native vlan 99 S1(config-if-range)# exit
Use range fa0/5 – 10 to enter interface configuration mode for the trunks.
S1(config)#interface range fa0/5 - 10
Configure the unused ports as access ports, assign them to VLAN 86, and shutdown the ports.
S1(config-if-range)#switchport mode access S1(config-if-range)#switchport access vlan 86 % Access VLAN does not exist. Creating vlan 86 S1(config-if-range)#shutdown \*Mar 1 00:28:48.883: %LINK-5-CHANGED: Interface FastEthernet0/5, changed state to administratively down \*Mar 1 00:28:48.900: %LINK-5-CHANGED: Interface FastEthernet0/6, changed state to administratively down \*Mar 1 00:28:48.908: %LINK-5-CHANGED: Interface FastEthernet0/7, changed state to administratively down \*Mar 1 00:28:48.917: %LINK-5-CHANGED: Interface FastEthernet0/8, changed state to administratively down \*Mar 1 00:28:48.942: %LINK-5-CHANGED: Interface FastEthernet0/9, changed state to administratively down \*Mar 1 00:28:48.950: %LINK-5-CHANGED: Interface FastEthernet0/10, changed state to administratively down \*Mar 1 00:28:49.890: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/5, changed state to down \*Mar 1 00:28:49.907: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/6, changed state to down S1(config-if-range)# exit
Use range fa0/11 – 24 to enter interface configuration mode for the active ports and then configure them to prevent trunking.
S1(config)#interface range fa0/11 - 24 S1(config-if-range)#switchport mode access S1(config-if-range)# end S1#
You have successfully mitigated VLAN hopping attacks on this switch.
Ready to go! Keep visiting our networking course blog, give Like to our fanpage; and you will find more tools and concepts that will make you a networking professional.