Cisco Catalyst 6880-X Specifications download pdf (Page 38)

Access Layer April 2014

There is a remote possibility that an attacker can create a double 802.1Q encapsulated packet. If the attacker

has specific knowledge of the 802.1Q native VLAN, a packet could be crafted that when processed, the first

or outermost tag is removed when the packet is switched onto the untagged native VLAN. When the packet

reaches the target switch, the inner or second tag is then processed and the potentially malicious packet is

switched to the target VLAN.

Figure 13 - VLAN hopping attack

2097

tacker Host

802.1Q Trunk

802.1Q Tags

802.1Q Trunk with

Native VLAN A

Access

Interface

VLAN B

Data

VLAN A

VLAN BVLAN B

Data Data

802.1Q Ta g

At first glance, this appears to be a serious risk. However, the traffic in this attack scenario is in a single direction

and no return traffic can be switched by this mechanism. Additionally, this attack cannot work unless the attacker

knows the native VLAN ID.

Step 3: Configure an unused VLAN on all switch-to-switch 802.1Q trunk links from access layer to distribution

layer. This configuration mitigates the remote risk of a VLAN hopping attack. Choosing an arbitrary, non-default,

unused VLAN assignment for the native VLAN reduces the possibility that a double 802.1Q-tagged packet can

hop VLANs. If you are running the recommended EtherChannel uplink to the LAN access layer switch, configure

the switchport trunk native vlan on the port-channel interface.

vlan 999

name AntiVLANhopping

exit

interface [port-channel] [number]

switchport trunk native vlan 999

Step 4: After leaving configuration mode, save the running configuration that you have entered so it will be used

as the startup configuration file when your switch is reloaded or power-cycled.

copy running-config startup-config

Step 5: If you have configured your access-layer Cisco Catalyst 2960-S or Cisco Catalyst 3750-X switch stack

for an EtherChannel link to the distribution layer switch, reload your switch stack now to ensure proper operation

of EtherChannel. A single reload of a newly configured switch may be necessary to ensure that EtherChannel

operates with other features configured on the switch stack.

reload

1 2 ... 33 34 35 36 37 38 39 40 41 42 43 ... 110 111

No comments

Cisco Catalyst 6880-X Specifications Page 38