The major security concern related to VLANs is a concept commonly known as “VLAN hopping”. VLAN hopping attacks involve an attacker sending and/or receiving traffic from a VLAN to which they are not assigned. There are two ways this can be done, switch spoofing and double-tagging – both done by manipulating the way switches create and pass data through trunk links.
Switch spoofing uses a computer to mimic a trunk tunnel with a directly connected switch using Dynamic Trunking Protocol (DTP). DTP is enabled by default on Cisco switches and trunk ports also pass all traffic across trunks by default. If an attacker is able to trick the switch into establishing a trunk port, they are able to access (and inject) all traffic going through the switch.
A double-tagging attack is possible because 802.1Q does not tag frames sent using the native VLAN. In this attack, the attacker sends a payload with two VLAN tags, the first assigned to the segment’s native VLAN and the second assigned to the target destination’s VLAN. The first switch to receive the attacker’s packet strips off the native VLAN tag and forwards it out all ports (including adjacent trunk ports) because that is how 802.1Q handles native VLAN traffic. Once the next hop switch receives the packet, it sees only the second tag and forwards it on to the target destination.
To Mitigate Switch Spoofing:
- Disable DTP on all ports using theswitchport nonegotiate command on each port.
- Define access ports and trunk ports explicitly using commands likeswitchport mode access and switchport mode trunk.
- Shutdown all unused ports and assign them all to an unused VLAN (ex. something like 999)
- Define the native VLAN separate from any data VLANs
- Define explicit VLANs allowed on the trunk links, rather than the default allow all