12-03-2008 11:52 AM - edited 03-06-2019 02:47 AM
I have read threads about this topic, but just want a simple explaination before my brain melts out of my ears.
I have a switch configured as an access port, it connects to a link that is sending dot1q. Will the access port change itself so it can correctly recieve the dot1q traffic ?
I have read somewhere that it does, but some people says it doesnt and stays as an access port.
12-03-2008 12:00 PM
Martin
Not entirely sure what this question has to do with vlan hopping ?
The answer to your question is it depends. If you disable DTP then an access port will not negotiate itself to become a trunk port.
int fa0/1
switchport mode access <- will turn off DTP
Jon
12-03-2008 02:02 PM
From what I understand, VLAN hopping is when an attacker creates a false link advertising Dot1q to your switch , and if your switch port has DTP on it, he can then gain access with all VLANs via Dot1q trunking ?
12-03-2008 12:23 PM
Hello Martin,
modern Cisco switches access ports should
accept untagged frames
accept frames tagged with a vlan-id= access port vlan (swithport mode access; switchport access vlan x)
this stops simple Vlan hopping but not double vlan hopping
double vlan hopping uses frames with a double 802.1Q tag with external tag = access port vlan-id
if there is a trunk that is using 802.1Q encapsulation and has native vlan = x the switch will:
send out the frame without the external vlan tag, the new exposed vlan-id is carried over the trunk (if permitted and the vlan exists).
then the frame with single 802.1Q tag Y is received on the switch on the other end of the trunk and can be forwarded out ports in vlan Y.
The attacker has been able to send a frame from a port associated to vlan x to ports in vlan y in another switch.
However, if the native vlan of 802.1Q trunks is never used on access ports, only necessary vlans are permitted on trunks this becomes difficult.
Another type of L2 attack is that of trying to negotiate a trunk but this is stopped as Jon has noted by putting the port in access mode.
Notice that vlan hopping both simple and double doesn't try to change the state of the access port but to exploit some behaviours of the LAN switches
Old switches accepted tagged frames with any vlan-id
There is another thread called "tagged frames and access ports" where a collegue has placed a modern C4500 in place of a C5500 and now he is not able to have tagged frames moved between access ports
Hope to help
Giuseppe
12-03-2008 12:32 PM
Just to add to Giuseppe's excellent explanation.
You can mitigate the double vlan attack by either
1) clearing the native vlan off all trunk
2) specifying that all vlans must be tagged even the native vlan.
It really isn't such a big deal tagging the native vlan if you don't need any backwards compatability with devices that don't understand 802.1q.
There is a good explanation of vlan security in this whitepaper if you haven't seen it before -
http://www.cisco.com/en/US/products/hw/switches/ps708/products_white_paper09186a008013159f.shtml
It is titled for the 6500 but it is applicable to all switches.
Jon
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide