Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
551
Views
0
Helpful
4
Replies

VLAN hopping

martin.ray
Level 1
Level 1

‎12-03-2008 11:52 AM - edited ‎03-06-2019 02:47 AM

I have read threads about this topic, but just want a simple explaination before my brain melts out of my ears.

I have a switch configured as an access port, it connects to a link that is sending dot1q. Will the access port change itself so it can correctly recieve the dot1q traffic ?

I have read somewhere that it does, but some people says it doesnt and stays as an access port.

Labels:
0 Helpful
4 Replies 4

Jon Marshall
Hall of Fame
Hall of Fame

‎12-03-2008 12:00 PM

Martin

Not entirely sure what this question has to do with vlan hopping ?

The answer to your question is it depends. If you disable DTP then an access port will not negotiate itself to become a trunk port.

int fa0/1

switchport mode access <- will turn off DTP

Jon

0 Helpful

martin.ray
Level 1
Level 1
In response to Jon Marshall

‎12-03-2008 02:02 PM

From what I understand, VLAN hopping is when an attacker creates a false link advertising Dot1q to your switch , and if your switch port has DTP on it, he can then gain access with all VLANs via Dot1q trunking ?

0 Helpful

Giuseppe Larosa
Hall of Fame
Hall of Fame

‎12-03-2008 12:23 PM

Hello Martin,

modern Cisco switches access ports should

accept untagged frames

accept frames tagged with a vlan-id= access port vlan (swithport mode access; switchport access vlan x)

this stops simple Vlan hopping but not double vlan hopping

double vlan hopping uses frames with a double 802.1Q tag with external tag = access port vlan-id

if there is a trunk that is using 802.1Q encapsulation and has native vlan = x the switch will:

send out the frame without the external vlan tag, the new exposed vlan-id is carried over the trunk (if permitted and the vlan exists).

then the frame with single 802.1Q tag Y is received on the switch on the other end of the trunk and can be forwarded out ports in vlan Y.

The attacker has been able to send a frame from a port associated to vlan x to ports in vlan y in another switch.

However, if the native vlan of 802.1Q trunks is never used on access ports, only necessary vlans are permitted on trunks this becomes difficult.

Another type of L2 attack is that of trying to negotiate a trunk but this is stopped as Jon has noted by putting the port in access mode.

Notice that vlan hopping both simple and double doesn't try to change the state of the access port but to exploit some behaviours of the LAN switches

Old switches accepted tagged frames with any vlan-id

There is another thread called "tagged frames and access ports" where a collegue has placed a modern C4500 in place of a C5500 and now he is not able to have tagged frames moved between access ports

Hope to help

Giuseppe

0 Helpful

Jon Marshall
Hall of Fame
Hall of Fame

‎12-03-2008 12:32 PM

Just to add to Giuseppe's excellent explanation.

You can mitigate the double vlan attack by either

1) clearing the native vlan off all trunk

2) specifying that all vlans must be tagged even the native vlan.

It really isn't such a big deal tagging the native vlan if you don't need any backwards compatability with devices that don't understand 802.1q.

There is a good explanation of vlan security in this whitepaper if you haven't seen it before -

http://www.cisco.com/en/US/products/hw/switches/ps708/products_white_paper09186a008013159f.shtml

It is titled for the 6500 but it is applicable to all switches.

Jon

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card