vlan hopping mitigation

Unanswered Question
Apr 29th, 2007

Hi

With reference to the Safe document link below, in VLAN hopping/Network Attack Mitigation section, it refers to 'use dedicated VLAN IDs for all trunk ports'.

http://www.cisco.com/en/US/customer/netsol/ns340/ns394/ns171/ns128/networking_solutions_white_paper09186a008014870f.shtml#wp1002270

We are already setting the Native VLAN to 10. Is that what this document is refering to or does it mean something else?

If somethink else, links to documentation on the would be great.

thanks

Peter

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jon Marshall Sun, 04/29/2007 - 22:53

Hi Peter

I suspect that is what it means yes.

We use a non-routable vlan for our native vlan in our data centres. This vlan should never have any physical ports assigned to it.

You are still open to some attacks though. 802.1q needs the concept of a native vlan for compatability so if you can't clear it off the trunks the next best thing is to do as above, ie a non-routable unused vlan.

Attached is a link to vlan security by Cisco which covers this in more details.

http://www.cisco.com/en/US/customer/products/hw/switches/ps708/products_white_paper09186a008013159f.shtml#wp39211

HTH

Jon

Actions

This Discussion