Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

vlan hopping mitigation

Hi

With reference to the Safe document link below, in VLAN hopping/Network Attack Mitigation section, it refers to 'use dedicated VLAN IDs for all trunk ports'.

http://www.cisco.com/en/US/customer/netsol/ns340/ns394/ns171/ns128/networking_solutions_white_paper09186a008014870f.shtml#wp1002270

We are already setting the Native VLAN to 10. Is that what this document is refering to or does it mean something else?

If somethink else, links to documentation on the would be great.

thanks

Peter

1 REPLY
Hall of Fame Super Blue

Re: vlan hopping mitigation

Hi Peter

I suspect that is what it means yes.

We use a non-routable vlan for our native vlan in our data centres. This vlan should never have any physical ports assigned to it.

You are still open to some attacks though. 802.1q needs the concept of a native vlan for compatability so if you can't clear it off the trunks the next best thing is to do as above, ie a non-routable unused vlan.

Attached is a link to vlan security by Cisco which covers this in more details.

http://www.cisco.com/en/US/customer/products/hw/switches/ps708/products_white_paper09186a008013159f.shtml#wp39211

HTH

Jon

879
Views
0
Helpful
1
Replies