cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1342
Views
0
Helpful
1
Replies

vlan hopping mitigation

peter2904
Level 1
Level 1

Hi

With reference to the Safe document link below, in VLAN hopping/Network Attack Mitigation section, it refers to 'use dedicated VLAN IDs for all trunk ports'.

http://www.cisco.com/en/US/customer/netsol/ns340/ns394/ns171/ns128/networking_solutions_white_paper09186a008014870f.shtml#wp1002270

We are already setting the Native VLAN to 10. Is that what this document is refering to or does it mean something else?

If somethink else, links to documentation on the would be great.

thanks

Peter

1 Reply 1

Jon Marshall
Hall of Fame
Hall of Fame

Hi Peter

I suspect that is what it means yes.

We use a non-routable vlan for our native vlan in our data centres. This vlan should never have any physical ports assigned to it.

You are still open to some attacks though. 802.1q needs the concept of a native vlan for compatability so if you can't clear it off the trunks the next best thing is to do as above, ie a non-routable unused vlan.

Attached is a link to vlan security by Cisco which covers this in more details.

http://www.cisco.com/en/US/customer/products/hw/switches/ps708/products_white_paper09186a008013159f.shtml#wp39211

HTH

Jon

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco