The best way to mitigate VLAN hopping attacks is to ensure that trunking is only enabled on ports that require trunking. Additionally, be sure to disable DTP (auto trunking) negotiations and manually enable trunking.
To prevent a VLAN hopping attack that uses double 802.1Q encapsulation, the switch must look further into the frame to determine whether more than one VLAN tag is attached to it. Unfortunately, most switches have hardware that is optimized to look for one tag and then to switch the frame. The issue of performance versus security requires administrators to balance their requirements carefully.
Mitigating VLAN hopping attacks that use double 802.1Q encapsulation requires several modifications to the VLAN configuration. One of the more important elements is to use a dedicated native VLAN for all trunk ports. This attack is easy to stop when following the recommended practice of not using native VLANs for trunk ports anywhere else on the switch. In addition, disable all unused switch ports and place them in an unused VLAN.
To control trunking for ports, several options are available.
For links that are not intended as trunks, use the switchport mode access interface configuration command to disable trunking.
There are three steps to create trunk links:
Step 1. Use the switchport mode trunk interface configuration command to cause the interface to become a trunk link.
Step 2. Use the switchport nonegotiate interface configuration command to prevent the generation of DTP frames.
Step 3. Use the switchport trunk native vlan vlan_number interface configuration command to set the native VLAN on the trunk to an unused VLAN. The default native VLAN is VLAN 1.
biOos
No comments:
Post a Comment