The Ultimate Resource for the CCNA 200-301 Exam (Click Here)
Mitigate VLAN Attacks CCNA
Mitigate VLAN Attacks CCNA

Mitigate VLAN Attacks

Mitigate VLAN Attacks
5

Summary

This topic explain how to configure DTP and native VLAN to mitigate VLAN attacks. Start learning CCNA 200-301 for free right now!!

Note: Welcome: This topic is part of Module 11 of the Cisco CCNA 2 course, for a better follow up of the course you can go to the CCNA 2 section to guide you through an order.

VLAN Attacks Review

As a quick review, a VLAN hopping attack can be launched in one of three ways:

  • Spoofing DTP messages from the attacking host to cause the switch to enter trunking mode. From here, the attacker can send traffic tagged with the target VLAN, and the switch then delivers the packets to the destination.
  • Introducing a rogue switch and enabling trunking. The attacker can then access all the VLANs on the victim switch from the rogue switch.
  • Another type of VLAN hopping attack is a double-tagging (or double-encapsulated) attack. This attack takes advantage of the way hardware on most switches operate.

Steps to Mitigate VLAN Hopping Attacks

Use the following steps to mitigate VLAN hopping attacks:

Step 1: Disable DTP (auto trunking) negotiations on non-trunking ports by using the switchport mode access interface configuration command.

Step 2: Disable unused ports and put them in an unused VLAN.

Step 3: Manually enable the trunk link on a trunking port by using the switchport mode trunk command.

Step 4: Disable DTP (auto trunking) negotiations on trunking ports by using the switchport nonegotiate command.

Step 5: Set the native VLAN to a VLAN other than VLAN 1 by using the switchport trunk native vlan vlan_number command.

For example, assume the following:

  • FastEthernet ports 0/1 through fa0/16 are active access ports
  • FastEthernet ports 0/17 through 0/24 are not currently in use
  • FastEthernet ports 0/21 through 0/24 are trunk ports.

VLAN hopping can be mitigated by implementing the following configuration.

S1(config)# interface range fa0/1 - 16
S1(config-if-range)# switchport mode access
S1(config-if-range)# exit
S1(config)# 
S1(config)# interface range fa0/17 - 20
S1(config-if-range)# switchport mode access
S1(config-if-range)# switchport access vlan 1000
S1(config-if-range)# exit
S1(config)# 
S1(config)# interface range fa0/21 - 24
S1(config-if-range)# switchport mode trunk
S1(config-if-range)# switchport nonegotiate 
S1(config-if-range)# switchport trunk native vlan 999
S1(config-if-range)# end
S1#
  • FastEthernet ports 0/1 to 0/16 are access ports and therefore trunking is disabled by explicitly making them access ports.
  • FastEthernet ports 0/17 to 0/20 are unused ports and are disabled and assigned to an unused VLAN.
  • FastEthernet ports 0/21 to 0/24 are trunk links and are manually enabled as trunks with DTP disabled. The native VLAN is also changed from the default VLAN 1 to an unused VLAN 999.

Syntax Checker – Mitigate VLAN Hopping Attacks

You are currently logged into S1. The ports status of the ports are as follows:

  • FastEthernet ports 0/1 through 0/4 are used for trunking with other switches.
  • FastEthernet ports 0/5 through 0/10 are unused.
  • FastEthernet ports 0/11 through 0/24 are active ports currently in use.

Use range fa0/1 – 4 to enter interface configuration mode for the trunks.

S1(config)#interface range fa0/1 - 0/4

Configure the interfaces as nonnegotiating trunks assigned to default VLAN 99.

S1(config-if-range)#switchport mode trunk
S1(config-if-range)#switchport nonegotiate
S1(config-if-range)#switchport trunk native vlan 99
S1(config-if-range)# exit

Use range fa0/5 – 10 to enter interface configuration mode for the trunks.

S1(config)#interface range fa0/5 - 10

Configure the unused ports as access ports, assign them to VLAN 86, and shutdown the ports.

S1(config-if-range)#switchport mode access
S1(config-if-range)#switchport access vlan 86
% Access VLAN does not exist. Creating vlan 86
S1(config-if-range)#shutdown
\*Mar 1 00:28:48.883: %LINK-5-CHANGED: Interface FastEthernet0/5, changed state to administratively down
\*Mar 1 00:28:48.900: %LINK-5-CHANGED: Interface FastEthernet0/6, changed state to administratively down
\*Mar 1 00:28:48.908: %LINK-5-CHANGED: Interface FastEthernet0/7, changed state to administratively down
\*Mar 1 00:28:48.917: %LINK-5-CHANGED: Interface FastEthernet0/8, changed state to administratively down
\*Mar 1 00:28:48.942: %LINK-5-CHANGED: Interface FastEthernet0/9, changed state to administratively down
\*Mar 1 00:28:48.950: %LINK-5-CHANGED: Interface FastEthernet0/10, changed state to administratively down
\*Mar 1 00:28:49.890: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/5, changed state to down
\*Mar 1 00:28:49.907: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/6, changed state to down
S1(config-if-range)# exit

Use range fa0/11 – 24 to enter interface configuration mode for the active ports and then configure them to prevent trunking.

S1(config)#interface range fa0/11 - 24
S1(config-if-range)#switchport mode access
S1(config-if-range)# end
S1#

You have successfully mitigated VLAN hopping attacks on this switch.

Glossary: If you have doubts about any special term, you can consult this computer network dictionary.

Ready to go! Keep visiting our networking course blog, give Like to our fanpage; and you will find more tools and concepts that will make you a networking professional.