SWITCH10S07L02.pptx
Download
Report
Transcript SWITCH10S07L02.pptx
Protecting Against
VLAN Attacks
Minimizing Service Loss and Data Theft
© 2009 Cisco Systems, Inc. All rights reserved.
SWITCH v1.0—7-1
Explaining VLAN Hopping
An attacking system spoofs
itself as a legitimate trunk
negotiating device.
A trunk link is negotiated
dynamically.
An attacking device gains
access on all VLANs carried
by the trunk
© 2009 Cisco Systems, Inc. All rights reserved.
SWITCH v1.0—7-2
VLAN Hopping with Double Tagging
Double tagging allows a frame to be forwarded to a
destination VLAN other than the VLAN of the source.
© 2009 Cisco Systems, Inc. All rights reserved.
SWITCH v1.0—7-3
Mitigating VLAN Hopping
Unused ports
Shut down all unused ports.
Configure all unused ports to access mode.
Configure an access VLAN on all unused ports to an unused
VLAN.
Configure a native trunk VLAN on all unused ports to an unused
VLAN.
Trunk ports
Configure a trunk port with trunk mode on, and disable trunk
negotiation.
Configure a native trunk VLAN on trunk ports to an unused VLAN.
Configure the allowed VLANs on the trunk ports, and do not allow
a native VLAN.
© 2009 Cisco Systems, Inc. All rights reserved.
SWITCH v1.0—7-4
Types of ACLs
© 2009 Cisco Systems, Inc. All rights reserved.
SWITCH v1.0—7-5
Configuring VACLs
Create an access list.
Configure an access map.
Create a VLAN filter.
Example: Drop all traffic from network 10.1.9.0/24 on VLAN 10
and 20, and drop all traffic to backup server 0000.1111.4444.
switch(config)# access-list 100 permit ip 10.1.9.0 0.0.0.255 any
Switch(config)# mac access-list extended BACKUP_SERVER
Switch(config-ext-mac)# permit any host 0000.1111.4444
switch(config)# vlan access-map XYZ 10
switch(config-map)# match ip address 100
switch(config-map)# action drop
switch(config-map)# vlan access-map XYZ 20
switch(config-map)# match mac address BACKUP_SERVER
Switch(config-map)# action drop
switch(config-map)# vlan access-map XYZ 30
switch(config-map)# action forward
switch(config)# vlan filter XYZ vlan-list 10,20
© 2009 Cisco Systems, Inc. All rights reserved.
SWITCH v1.0—7-6
Summary
VLAN hopping can allow Layer 2 unauthorized access to another
VLAN.
VLAN hopping can be mitigated by:
– Properly configuring 802.1Q trunks
– Turning off trunk negotiation
Access lists can be applied to VLANs to limit Layer 2 access.
VACLs can be configured on Cisco Catalyst switches.
© 2009 Cisco Systems, Inc. All rights reserved.
SWITCH v1.0—7-7
© 2009 Cisco Systems, Inc. All rights reserved.
SWITCH v1.0—7-8