VLAN Hopping Attacks Mitigation

In any network, various VLANs cater to different departments within an organization. For instance, one VLAN might serve the network engineering team, while another VLAN could be dedicated to security engineering Team. These VLANs are important in segmenting the network. It ensures that access to resources is restricted within each VLAN.

Even though VLANs do well at achieving the goal of segmenting a network, attackers have devised methods to bypass these security measures, enabling them to move from one VLAN to another without traversing a router. This tactic is commonly referred to as VLAN hopping.

VLAN hopping occurs when attackers exploit vulnerabilities in VLAN networks by sending network frames to ports inaccessible by any legitimate device. The primary objective of a VLAN hacker is to gain unauthorized access to all active VLANs. Once a breach is achieved on one VLAN network, it paves the way for attackers to infiltrate other VLANs connected to the same network.

There are two primary techniques used by attackers to facilitate unauthorized access between VLANs:

  • a) Switch Spoofing
  • b) Double-tagging

A) Switch Spoofing: Typically, network administrators configure interfaces on a switch as either access ports or trunk ports. Access ports are designated for connecting host devices like PCs or laptops and are associated with specific VLANs. On the other hand, trunk ports are configured to carry traffic from multiple VLANs. While it is recommended to manually configure these settings, switches often offer automatic configuration options. This feature allows the switch to determine the type of device connected to an interface and decide if it is a trunk port or an access port. Although automatic configuration is easier, it lacks authentication requirements, enabling attackers to impersonate switches and initiate trunk negotiations.  To mitigate this risk, network administrator should disable automatic configuration and manually configure switch interfaces as either access or trunk ports.

B) Double Tagging: When information is transmitted across a trunk, a tag containing VLAN information is appended to the frame. This helps with interpretation on the receiving end. By adding an additional tag to the frame, attackers exploit double-tagging. The initial switch interprets the first tag and forwards the traffic to another switch, where the second tag is evaluated. This technique leverages the native VLAN feature, which does not mandate the presence of a tag. Once the native VLAN is stripped, the attacker’s fake tag can be utilized to direct traffic to any VLAN. Even though once traffic reaches the destination user, there is no means for them to send back the traffic. An attacker can use this means to send the user any hazardous traffic, which can result in a denial of service. To prevent double-tagging, measures must be implemented to restrict the use of the native VLAN. This includes changing the native VLAN ID and enforcing tagging for any traffic destined for the native VLAN.

Network Topology

The network topology we will be making use of in this post is shown below; as you can see, it consists of two switches and three PCs. In this demonstration, we will configure the e0/0, e0/1 interface of switch1 and the eo/o interface of switch2 as access ports, then configure the e3/3 of switch1 and e3/3 of switch2 as trunk ports, and then shutdown every other interface. We will also disable trunk negotiation on each of the trunk interfaces to prevent hackers from spoofing the switch.

network topology for demonstrating how to mitigate vlan hopping

VLAN Hopping Attacks Mitigation

To mitigate the VLAN Hopping attack on a switch, you need to shutdown all interfaces not in use, disable trunk negotiation, and then change the native vlan ID.

Here are steps to Mitigate VLAN Hopping attack using the sample network above;

Step 1: Create the Necessary VLANs

Swith1

SW1(config)#vlan 10
SW1(config-vlan)#name Sales
SW1(config-vlan)#exit
SW1(config)#vlan 20
SW1(config-vlan)#name Marketing
SW1(config-vlan)#exit

SW1(config)#do show vlan

VLAN Name                             Status    Ports
---- -------------------------------- --------- -------------------------------
1    default                          active    Et0/0, Et0/1, Et0/2, Et0/3
                                                Et1/0, Et1/1, Et1/2, Et1/3
                                                Et2/0, Et2/1, Et2/2, Et2/3
                                                Et3/0, Et3/1, Et3/2, Et3/3
10   Sales                            active    
20   Marketing                        active    
1002 fddi-default                     act/unsup 
1003 token-ring-default               act/unsup 
1004 fddinet-default                  act/unsup 
1005 trnet-default                    act/unsup 

VLAN Type  SAID       MTU   Parent RingNo BridgeNo Stp  BrdgMode Trans1 Trans2
---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------
1    enet  100001     1500  -      -      -        -    -        0      0   
10   enet  100010     1500  -      -      -        -    -        0      0   
20   enet  100020     1500  -      -      -        -    -        0      0   
1002 fddi  101002     1500  -      -      -        -    -        0      0   
1003 tr    101003     1500  -      -      -        -    -        0      0   
1004 fdnet 101004     1500  -      -      -        ieee -        0      0   
1005 trnet 101005     1500  -      -      -        ibm  -        0      0   
          
Remote SPAN VLANs
------------------------------------------------------------------------------
          

Primary Secondary Type              Ports
------- --------- ----------------- ------------------------------------------

Switch2

SW2(config)#vlan 10
SW2(config-vlan)#name Sales
SW2(config-vlan)#exit
SW2(config)#vlan 20
SW2(config-vlan)#name Marketing
SW2(config-vlan)#exit
SW2(config)#do show vlan

VLAN Name                             Status    Ports
---- -------------------------------- --------- -------------------------------
1    default                          active    Et0/0, Et0/1, Et0/2, Et0/3
                                                Et1/0, Et1/1, Et1/2, Et1/3
                                                Et2/0, Et2/1, Et2/2, Et2/3
                                                Et3/0, Et3/1, Et3/2, Et3/3
10   Sales                            active    
20   Marketing                        active    
1002 fddi-default                     act/unsup 
1003 token-ring-default               act/unsup 
1004 fddinet-default                  act/unsup 
1005 trnet-default                    act/unsup 

VLAN Type  SAID       MTU   Parent RingNo BridgeNo Stp  BrdgMode Trans1 Trans2
---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------
1    enet  100001     1500  -      -      -        -    -        0      0   
10   enet  100010     1500  -      -      -        -    -        0      0   
20   enet  100020     1500  -      -      -        -    -        0      0   
1002 fddi  101002     1500  -      -      -        -    -        0      0   
1003 tr    101003     1500  -      -      -        -    -        0      0   
1004 fdnet 101004     1500  -      -      -        ieee -        0      0   
1005 trnet 101005     1500  -      -      -        ibm  -        0      0   
          
Remote SPAN VLANs
------------------------------------------------------------------------------
          

Primary Secondary Type              Ports

Step 2: Shutdown all unused interfaces

Switch1

Firstly, check Port Status

SW1#show ip interface brief

Interface              IP-Address      OK? Method Status                Protocol
Ethernet0/0            unassigned      YES unset  up                    up      
Ethernet0/1            unassigned      YES unset  up                    up      
Ethernet0/2            unassigned      YES unset  up                    up      
Ethernet0/3            unassigned      YES unset  up                    up      
Ethernet1/0            unassigned      YES unset  up                    up      
Ethernet1/1            unassigned      YES unset  up                    up      
Ethernet1/2            unassigned      YES unset  up                    up      
Ethernet1/3            unassigned      YES unset  up                    up      
Ethernet2/0            unassigned      YES unset  up                    up      
Ethernet2/1            unassigned      YES unset  up                    up      
Ethernet2/2            unassigned      YES unset  up                    up      
Ethernet2/3            unassigned      YES unset  up                    up      
Ethernet3/0            unassigned      YES unset  up                    up      
Ethernet3/1            unassigned      YES unset  up                    up      
Ethernet3/2            unassigned      YES unset  up                    up      
Ethernet3/3            unassigned      YES unset  up                    up

Then shutdown all interfaces on the switch that are un-used

SW1(config)#interface range Ethernet0/2-3, Ethernet1/0-3, Ethernet2/0-3, Ethernet3/0-2
SW1(config-if-range)#shutdown
SW1(config-if-range)#exit

SW1#show ip interface brief 
Interface              IP-Address      OK? Method Status                Protocol
Ethernet0/0            unassigned      YES unset  up                    up      
Ethernet0/1            unassigned      YES unset  up                    up      
Ethernet0/2            unassigned      YES unset  administratively down down    
Ethernet0/3            unassigned      YES unset  administratively down down    
Ethernet1/0            unassigned      YES unset  administratively down down    
Ethernet1/1            unassigned      YES unset  administratively down down    
Ethernet1/2            unassigned      YES unset  administratively down down    
Ethernet1/3            unassigned      YES unset  administratively down down    
Ethernet2/0            unassigned      YES unset  administratively down down    
Ethernet2/1            unassigned      YES unset  administratively down down    
Ethernet2/2            unassigned      YES unset  administratively down down    
Ethernet2/3            unassigned      YES unset  administratively down down    
Ethernet3/0            unassigned      YES unset  administratively down down    
Ethernet3/1            unassigned      YES unset  administratively down down    
Ethernet3/2            unassigned      YES unset  administratively down down    
Ethernet3/3            unassigned      YES unset  up                    up

Switch2

Firstly, check Port Status

SW2#show ip interface brief

Interface              IP-Address      OK? Method Status                Protocol
Ethernet0/0            unassigned      YES unset  up                    up      
Ethernet0/1            unassigned      YES unset  up                    up      
Ethernet0/2            unassigned      YES unset  up                    up      
Ethernet0/3            unassigned      YES unset  up                    up      
Ethernet1/0            unassigned      YES unset  up                    up      
Ethernet1/1            unassigned      YES unset  up                    up      
Ethernet1/2            unassigned      YES unset  up                    up      
Ethernet1/3            unassigned      YES unset  up                    up      
Ethernet2/0            unassigned      YES unset  up                    up      
Ethernet2/1            unassigned      YES unset  up                    up      
Ethernet2/2            unassigned      YES unset  up                    up      
Ethernet2/3            unassigned      YES unset  up                    up      
Ethernet3/0            unassigned      YES unset  up                    up      
Ethernet3/1            unassigned      YES unset  up                    up      
Ethernet3/2            unassigned      YES unset  up                    up      
Ethernet3/3            unassigned      YES unset  up                    up

Then shutdown all interfaces on the switch that are un-used

SW2(config)#interface range Ethernet0/1-3, Ethernet1/0-3, Ethernet2/0-3, Ethernet3/0-2
SW2(config-if-range)#shutdown
SW2(config-if-range)#exit

SW2#show ip interface brief 
Interface              IP-Address      OK? Method Status                Protocol
Ethernet0/0            unassigned      YES unset  up                    up      
Ethernet0/1            unassigned      YES unset  administratively down down
Ethernet0/2            unassigned      YES unset  administratively down down    
Ethernet0/3            unassigned      YES unset  administratively down down    
Ethernet1/0            unassigned      YES unset  administratively down down    
Ethernet1/1            unassigned      YES unset  administratively down down    
Ethernet1/2            unassigned      YES unset  administratively down down    
Ethernet1/3            unassigned      YES unset  administratively down down    
Ethernet2/0            unassigned      YES unset  administratively down down    
Ethernet2/1            unassigned      YES unset  administratively down down    
Ethernet2/2            unassigned      YES unset  administratively down down    
Ethernet2/3            unassigned      YES unset  administratively down down    
Ethernet3/0            unassigned      YES unset  administratively down down    
Ethernet3/1            unassigned      YES unset  administratively down down    
Ethernet3/2            unassigned      YES unset  administratively down down    
Ethernet3/3            unassigned      YES unset  up                    up

Step 3: Configure Access port

Because the e0/0 and e0/1 interfaces of switch 1 are connected to host devices, they need to be configured as access ports. Also, configure the e0/0 of switch2 as access port.

Switch1

SW1(config)#interface ethernet0/0
SW1(config-if)#switchport mode access
SW1(config-if)#switchport access vlan 10
SW1(config-if)#exit

SW1#show interfaces ethernet0/0 switchport 
 
Name: Et0/0
Switchport: Enabled
Administrative Mode: static access <-- # dynamic auto (Default) # -->
Operational Mode: static access
Administrative Trunking Encapsulation: negotiate
Operational Trunking Encapsulation: native
Negotiation of Trunking: Off <--- # It must be "off" status # --> **
Access Mode VLAN: 10 (Employee)
Trunking Native Mode VLAN: 1 (default)
Administrative Native VLAN tagging: enabled
Voice VLAN: none
Administrative private-vlan host-association: none 
Administrative private-vlan mapping: none 
Administrative private-vlan trunk native VLAN: none
Administrative private-vlan trunk Native VLAN tagging: enabled
Administrative private-vlan trunk encapsulation: dot1q
Administrative private-vlan trunk normal VLANs: none
Administrative private-vlan trunk associations: none
Administrative private-vlan trunk mappings: none
Operational private-vlan: none
Trunking VLANs Enabled: ALL
Pruning VLANs Enabled: 2-1001
Capture Mode Disabled
Capture VLANs Allowed: ALL
          
Protected: false
Appliance trust: none
######################################################
SW1(config)#interface ethernet0/1
SW1(config-if)#switchport mode access
SW1(config-if)#switchport access vlan 10

SW1#show interfaces ethernet0/1 switchport
 
Name: Et0/1
Switchport: Enabled
Administrative Mode: static access <-- # dynamic auto (Default) # -->
Operational Mode: static access
Administrative Trunking Encapsulation: negotiate
Operational Trunking Encapsulation: native
Negotiation of Trunking: Off <--- # It must be "off" status # --> **
Access Mode VLAN: 10 (Employee)
Trunking Native Mode VLAN: 1 (default)
Administrative Native VLAN tagging: enabled
Voice VLAN: none
Administrative private-vlan host-association: none 
Administrative private-vlan mapping: none 
Administrative private-vlan trunk native VLAN: none
Administrative private-vlan trunk Native VLAN tagging: enabled
Administrative private-vlan trunk encapsulation: dot1q
Administrative private-vlan trunk normal VLANs: none
Administrative private-vlan trunk associations: none
Administrative private-vlan trunk mappings: none
Operational private-vlan: none
Trunking VLANs Enabled: ALL
Pruning VLANs Enabled: 2-1001
Capture Mode Disabled
Capture VLANs Allowed: ALL
          
Protected: false
Appliance trust: none

 Switch2

SW2(config)#interface ethernet0/0
SW2(config-if)#switchport mode access
SW2(config-if)#switchport access vlan 20
SW2(config-if)#exit

SW2#show interfaces ethernet0/0 switchport 

Name: Et0/0
Switchport: Enabled
Administrative Mode: static access <-- # dynamic auto (Default) # -->
Operational Mode: static access
Administrative Trunking Encapsulation: negotiate
Operational Trunking Encapsulation: native
Negotiation of Trunking: Off <--- # It should be "off" status # --> **
Access Mode VLAN: 20 (Marketing)
Trunking Native Mode VLAN: 1 (default)
Administrative Native VLAN tagging: enabled
Voice VLAN: none
Administrative private-vlan host-association: none 
Administrative private-vlan mapping: none 
Administrative private-vlan trunk native VLAN: none
Administrative private-vlan trunk Native VLAN tagging: enabled
Administrative private-vlan trunk encapsulation: dot1q
Administrative private-vlan trunk normal VLANs: none
Administrative private-vlan trunk associations: none
Administrative private-vlan trunk mappings: none
Operational private-vlan: none
Trunking VLANs Enabled: ALL
Pruning VLANs Enabled: 2-1001
Capture Mode Disabled
Capture VLANs Allowed: ALL
          
Protected: false
Appliance trust: none

 Step 4: Configure Trunk ports

Switch1

SW1(config)#interface ethernet3/3
SW1(config-if)#switchport trunk encapsulation dot1q 
SW1(config-if)#switchport mode trunk
SW1(config-if)#switchport trunk allowed vlan 10,20

Switch2

SW2(config)#interface ethernet3/3
SW2(config-if)#switchport trunk encapsulation dot1q 
SW2(config-if)#switchport mode trunk
SW2(config-if)#switchport trunk allowed vlan 10,20

Step 5: Disable Trunk Negotiation

You can disable trunk negotiation on each of the switches by entering each of the following commands on each switch.

Switch1

SW1(config-if)#switchport nonegotiate

Then confirm that trunk negotiation has been disabled

SW1#show interfaces ethernet3/3 switchport

Name: Et3/3
Switchport: Enabled
Administrative Mode: trunk <-- # dynamic auto (Default) # -->
Operational Mode: trunk
Administrative Trunking Encapsulation: dot1q
Operational Trunking Encapsulation: dot1q
Negotiation of Trunking: Off <--- # It must be "off" status # --> **
Access Mode VLAN: 1 (default)
Trunking Native Mode VLAN: 1 (default)
Administrative Native VLAN tagging: enabled
Voice VLAN: none
Administrative private-vlan host-association: none 
Administrative private-vlan mapping: none 
Administrative private-vlan trunk native VLAN: none
Administrative private-vlan trunk Native VLAN tagging: enabled
Administrative private-vlan trunk encapsulation: dot1q
Administrative private-vlan trunk normal VLANs: none
Administrative private-vlan trunk associations: none
Administrative private-vlan trunk mappings: none
Operational private-vlan: none
Trunking VLANs Enabled: 10,20
Pruning VLANs Enabled: 2-1001
Capture Mode Disabled
Capture VLANs Allowed: ALL
          
Protected: false
Appliance trust: none

Switch2

SW2(config-if)#switchport nonegotiate

Then, confirm that it has been disabled;

SW2#show interfaces ethernet3/3 switchport 

Name: Et3/3
Switchport: Enabled
Administrative Mode: trunk <-- # dynamic auto (Default) # -->
Operational Mode: trunk
Administrative Trunking Encapsulation: dot1q
Operational Trunking Encapsulation: dot1q
Negotiation of Trunking: Off <--- # It must be "off" status # --> **
Access Mode VLAN: 1 (default)
Trunking Native Mode VLAN: 1 (default)
Administrative Native VLAN tagging: enabled
Voice VLAN: none
Administrative private-vlan host-association: none 
Administrative private-vlan mapping: none 
Administrative private-vlan trunk native VLAN: none
Administrative private-vlan trunk Native VLAN tagging: enabled
Administrative private-vlan trunk encapsulation: dot1q
Administrative private-vlan trunk normal VLANs: none
Administrative private-vlan trunk associations: none
Administrative private-vlan trunk mappings: none
Operational private-vlan: none
Trunking VLANs Enabled: 10,20
Pruning VLANs Enabled: 2-1001
Capture Mode Disabled
Capture VLANs Allowed: ALL
          
Protected: false
Appliance trust: none

 

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top