Mitigating VLAN Hopping Attacks

Ways to mitigate VLAN Hopping Attacks on a Cisco Switch.

Cisco Switch mitigating VLAN Hopping Attacks

The ways in which we can prevent basic vlan hopping attacks on a Cisco Switch are more best practice security configurations. Vlan hopping attacks can occur in one of two ways. The first by an attacker spoofing DTP messages directly to a switch, if the switchport has Dynamic Trunking Protocol (DTP) enabled it can then negotiate a vlan and receive tagged packets for that vlan. The second is by introducing a rogue switch and again taking advantage of DTP and negotiating a trunk with the switch and then allowing it to receive all vlans. Not good!

We can do the following to prevent this:

  • Disable Dynamic Trunking Protocol (DTP) for non-trunked ports with switchport mode access – this should always be done for all ports straight out of the box!
  • Disable Dynamic Trunking Protocol (DTP) for all trunked ports with switchport non-negotiate.
  • Manually enable trunk ports with switchport mode trunk.
  • Set the native vlan to an unused vlan rather than just leaving it on vlan1 with switchport trunk native vlan (your vlan number)
  • Put all unused ports into an unused vlan and then disable all unused ports – again disabling all unused ports should be done straight out the box.