VLAN hopping

Unanswered Question

I have read threads about this topic, but just want a simple explaination before my brain melts out of my ears.


I have a switch configured as an access port, it connects to a link that is sending dot1q. Will the access port change itself so it can correctly recieve the dot1q traffic ?

I have read somewhere that it does, but some people says it doesnt and stays as an access port.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jon Marshall Wed, 12/03/2008 - 12:00
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Martin


Not entirely sure what this question has to do with vlan hopping ?


The answer to your question is it depends. If you disable DTP then an access port will not negotiate itself to become a trunk port.


int fa0/1

switchport mode access <- will turn off DTP


Jon

Giuseppe Larosa Wed, 12/03/2008 - 12:23
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

Hello Martin,

modern Cisco switches access ports should


accept untagged frames

accept frames tagged with a vlan-id= access port vlan (swithport mode access; switchport access vlan x)


this stops simple Vlan hopping but not double vlan hopping

double vlan hopping uses frames with a double 802.1Q tag with external tag = access port vlan-id

if there is a trunk that is using 802.1Q encapsulation and has native vlan = x the switch will:

send out the frame without the external vlan tag, the new exposed vlan-id is carried over the trunk (if permitted and the vlan exists).

then the frame with single 802.1Q tag Y is received on the switch on the other end of the trunk and can be forwarded out ports in vlan Y.

The attacker has been able to send a frame from a port associated to vlan x to ports in vlan y in another switch.

However, if the native vlan of 802.1Q trunks is never used on access ports, only necessary vlans are permitted on trunks this becomes difficult.


Another type of L2 attack is that of trying to negotiate a trunk but this is stopped as Jon has noted by putting the port in access mode.

Notice that vlan hopping both simple and double doesn't try to change the state of the access port but to exploit some behaviours of the LAN switches

Old switches accepted tagged frames with any vlan-id

There is another thread called "tagged frames and access ports" where a collegue has placed a modern C4500 in place of a C5500 and now he is not able to have tagged frames moved between access ports


Hope to help

Giuseppe

Jon Marshall Wed, 12/03/2008 - 12:32
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Just to add to Giuseppe's excellent explanation.


You can mitigate the double vlan attack by either


1) clearing the native vlan off all trunk


2) specifying that all vlans must be tagged even the native vlan.


It really isn't such a big deal tagging the native vlan if you don't need any backwards compatability with devices that don't understand 802.1q.


There is a good explanation of vlan security in this whitepaper if you haven't seen it before -


http://www.cisco.com/en/US/products/hw/switches/ps708/products_white_paper09186a008013159f.shtml


It is titled for the 6500 but it is applicable to all switches.


Jon

Actions

This Discussion