In any network, various VLANs cater to different departments within an organization. For instance, one VLAN might serve the network engineering team, while another VLAN could be dedicated to security engineering Team. These VLANs are important in segmenting the network. It ensures that access to resources is restricted within each VLAN.
Even though VLANs do well at achieving the goal of segmenting a network, attackers have devised methods to bypass these security measures, enabling them to move from one VLAN to another without traversing a router. This tactic is commonly referred to as VLAN hopping.
VLAN hopping occurs when attackers exploit vulnerabilities in VLAN networks by sending network frames to ports inaccessible by any legitimate device. The primary objective of a VLAN hacker is to gain unauthorized access to all active VLANs. Once a breach is achieved on one VLAN network, it paves the way for attackers to infiltrate other VLANs connected to the same network.
There are two primary techniques used by attackers to facilitate unauthorized access between VLANs:
- a) Switch Spoofing
- b) Double-tagging
A) Switch Spoofing: Typically, network administrators configure interfaces on a switch as either access ports or trunk ports. Access ports are designated for connecting host devices like PCs or laptops and are associated with specific VLANs. On the other hand, trunk ports are configured to carry traffic from multiple VLANs. While it is recommended to manually configure these settings, switches often offer automatic configuration options. This feature allows the switch to determine the type of device connected to an interface and decide if it is a trunk port or an access port. Although automatic configuration is easier, it lacks authentication requirements, enabling attackers to impersonate switches and initiate trunk negotiations. To mitigate this risk, network administrator should disable automatic configuration and manually configure switch interfaces as either access or trunk ports.
B) Double Tagging: When information is transmitted across a trunk, a tag containing VLAN information is appended to the frame. This helps with interpretation on the receiving end. By adding an additional tag to the frame, attackers exploit double-tagging. The initial switch interprets the first tag and forwards the traffic to another switch, where the second tag is evaluated. This technique leverages the native VLAN feature, which does not mandate the presence of a tag. Once the native VLAN is stripped, the attacker’s fake tag can be utilized to direct traffic to any VLAN. Even though once traffic reaches the destination user, there is no means for them to send back the traffic. An attacker can use this means to send the user any hazardous traffic, which can result in a denial of service. To prevent double-tagging, measures must be implemented to restrict the use of the native VLAN. This includes changing the native VLAN ID and enforcing tagging for any traffic destined for the native VLAN.
Network Topology
The network topology we will be making use of in this post is shown below; as you can see, it consists of two switches and three PCs. In this demonstration, we will configure the e0/0, e0/1 interface of switch1 and the eo/o interface of switch2 as access ports, then configure the e3/3 of switch1 and e3/3 of switch2 as trunk ports, and then shutdown every other interface. We will also disable trunk negotiation on each of the trunk interfaces to prevent hackers from spoofing the switch.
VLAN Hopping Attacks Mitigation
To mitigate the VLAN Hopping attack on a switch, you need to shutdown all interfaces not in use, disable trunk negotiation, and then change the native vlan ID.
Here are steps to Mitigate VLAN Hopping attack using the sample network above;
Step 1: Create the Necessary VLANs
Swith1
SW1(config)#vlan 10
SW1(config-vlan)#name Sales
SW1(config-vlan)#exit
SW1(config)#vlan 20
SW1(config-vlan)#name Marketing
SW1(config-vlan)#exit
SW1(config)#do show vlan
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Et0/0, Et0/1, Et0/2, Et0/3
Et1/0, Et1/1, Et1/2, Et1/3
Et2/0, Et2/1, Et2/2, Et2/3
Et3/0, Et3/1, Et3/2, Et3/3
10 Sales active
20 Marketing active
1002 fddi-default act/unsup
1003 token-ring-default act/unsup
1004 fddinet-default act/unsup
1005 trnet-default act/unsup
VLAN Type SAID MTU Parent RingNo BridgeNo Stp BrdgMode Trans1 Trans2
---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------
1 enet 100001 1500 - - - - - 0 0
10 enet 100010 1500 - - - - - 0 0
20 enet 100020 1500 - - - - - 0 0
1002 fddi 101002 1500 - - - - - 0 0
1003 tr 101003 1500 - - - - - 0 0
1004 fdnet 101004 1500 - - - ieee - 0 0
1005 trnet 101005 1500 - - - ibm - 0 0
Remote SPAN VLANs
------------------------------------------------------------------------------
Primary Secondary Type Ports
------- --------- ----------------- ------------------------------------------
Switch2
SW2(config)#vlan 10
SW2(config-vlan)#name Sales
SW2(config-vlan)#exit
SW2(config)#vlan 20
SW2(config-vlan)#name Marketing
SW2(config-vlan)#exit
SW2(config)#do show vlan
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Et0/0, Et0/1, Et0/2, Et0/3
Et1/0, Et1/1, Et1/2, Et1/3
Et2/0, Et2/1, Et2/2, Et2/3
Et3/0, Et3/1, Et3/2, Et3/3
10 Sales active
20 Marketing active
1002 fddi-default act/unsup
1003 token-ring-default act/unsup
1004 fddinet-default act/unsup
1005 trnet-default act/unsup
VLAN Type SAID MTU Parent RingNo BridgeNo Stp BrdgMode Trans1 Trans2
---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------
1 enet 100001 1500 - - - - - 0 0
10 enet 100010 1500 - - - - - 0 0
20 enet 100020 1500 - - - - - 0 0
1002 fddi 101002 1500 - - - - - 0 0
1003 tr 101003 1500 - - - - - 0 0
1004 fdnet 101004 1500 - - - ieee - 0 0
1005 trnet 101005 1500 - - - ibm - 0 0
Remote SPAN VLANs
------------------------------------------------------------------------------
Primary Secondary Type Ports
Step 2: Shutdown all unused interfaces
Switch1
Firstly, check Port Status
SW1#show ip interface brief
Interface IP-Address OK? Method Status Protocol
Ethernet0/0 unassigned YES unset up up
Ethernet0/1 unassigned YES unset up up
Ethernet0/2 unassigned YES unset up up
Ethernet0/3 unassigned YES unset up up
Ethernet1/0 unassigned YES unset up up
Ethernet1/1 unassigned YES unset up up
Ethernet1/2 unassigned YES unset up up
Ethernet1/3 unassigned YES unset up up
Ethernet2/0 unassigned YES unset up up
Ethernet2/1 unassigned YES unset up up
Ethernet2/2 unassigned YES unset up up
Ethernet2/3 unassigned YES unset up up
Ethernet3/0 unassigned YES unset up up
Ethernet3/1 unassigned YES unset up up
Ethernet3/2 unassigned YES unset up up
Ethernet3/3 unassigned YES unset up up
Then shutdown all interfaces on the switch that are un-used
SW1(config)#interface range Ethernet0/2-3, Ethernet1/0-3, Ethernet2/0-3, Ethernet3/0-2
SW1(config-if-range)#shutdown
SW1(config-if-range)#exit
SW1#show ip interface brief
Interface IP-Address OK? Method Status Protocol
Ethernet0/0 unassigned YES unset up up
Ethernet0/1 unassigned YES unset up up
Ethernet0/2 unassigned YES unset administratively down down
Ethernet0/3 unassigned YES unset administratively down down
Ethernet1/0 unassigned YES unset administratively down down
Ethernet1/1 unassigned YES unset administratively down down
Ethernet1/2 unassigned YES unset administratively down down
Ethernet1/3 unassigned YES unset administratively down down
Ethernet2/0 unassigned YES unset administratively down down
Ethernet2/1 unassigned YES unset administratively down down
Ethernet2/2 unassigned YES unset administratively down down
Ethernet2/3 unassigned YES unset administratively down down
Ethernet3/0 unassigned YES unset administratively down down
Ethernet3/1 unassigned YES unset administratively down down
Ethernet3/2 unassigned YES unset administratively down down
Ethernet3/3 unassigned YES unset up up
Switch2
Firstly, check Port Status
SW2#show ip interface brief
Interface IP-Address OK? Method Status Protocol
Ethernet0/0 unassigned YES unset up up
Ethernet0/1 unassigned YES unset up up
Ethernet0/2 unassigned YES unset up up
Ethernet0/3 unassigned YES unset up up
Ethernet1/0 unassigned YES unset up up
Ethernet1/1 unassigned YES unset up up
Ethernet1/2 unassigned YES unset up up
Ethernet1/3 unassigned YES unset up up
Ethernet2/0 unassigned YES unset up up
Ethernet2/1 unassigned YES unset up up
Ethernet2/2 unassigned YES unset up up
Ethernet2/3 unassigned YES unset up up
Ethernet3/0 unassigned YES unset up up
Ethernet3/1 unassigned YES unset up up
Ethernet3/2 unassigned YES unset up up
Ethernet3/3 unassigned YES unset up up
Then shutdown all interfaces on the switch that are un-used
SW2(config)#interface range Ethernet0/1-3, Ethernet1/0-3, Ethernet2/0-3, Ethernet3/0-2
SW2(config-if-range)#shutdown
SW2(config-if-range)#exit
SW2#show ip interface brief
Interface IP-Address OK? Method Status Protocol
Ethernet0/0 unassigned YES unset up up
Ethernet0/1 unassigned YES unset administratively down down
Ethernet0/2 unassigned YES unset administratively down down
Ethernet0/3 unassigned YES unset administratively down down
Ethernet1/0 unassigned YES unset administratively down down
Ethernet1/1 unassigned YES unset administratively down down
Ethernet1/2 unassigned YES unset administratively down down
Ethernet1/3 unassigned YES unset administratively down down
Ethernet2/0 unassigned YES unset administratively down down
Ethernet2/1 unassigned YES unset administratively down down
Ethernet2/2 unassigned YES unset administratively down down
Ethernet2/3 unassigned YES unset administratively down down
Ethernet3/0 unassigned YES unset administratively down down
Ethernet3/1 unassigned YES unset administratively down down
Ethernet3/2 unassigned YES unset administratively down down
Ethernet3/3 unassigned YES unset up up
Step 3: Configure Access port
Because the e0/0 and e0/1 interfaces of switch 1 are connected to host devices, they need to be configured as access ports. Also, configure the e0/0 of switch2 as access port.
Switch1
SW1(config)#interface ethernet0/0
SW1(config-if)#switchport mode access
SW1(config-if)#switchport access vlan 10
SW1(config-if)#exit
SW1#show interfaces ethernet0/0 switchport
Name: Et0/0
Switchport: Enabled
Administrative Mode: static access <-- # dynamic auto (Default) # -->
Operational Mode: static access
Administrative Trunking Encapsulation: negotiate
Operational Trunking Encapsulation: native
Negotiation of Trunking: Off <--- # It must be "off" status # --> **
Access Mode VLAN: 10 (Employee)
Trunking Native Mode VLAN: 1 (default)
Administrative Native VLAN tagging: enabled
Voice VLAN: none
Administrative private-vlan host-association: none
Administrative private-vlan mapping: none
Administrative private-vlan trunk native VLAN: none
Administrative private-vlan trunk Native VLAN tagging: enabled
Administrative private-vlan trunk encapsulation: dot1q
Administrative private-vlan trunk normal VLANs: none
Administrative private-vlan trunk associations: none
Administrative private-vlan trunk mappings: none
Operational private-vlan: none
Trunking VLANs Enabled: ALL
Pruning VLANs Enabled: 2-1001
Capture Mode Disabled
Capture VLANs Allowed: ALL
Protected: false
Appliance trust: none
######################################################
SW1(config)#interface ethernet0/1
SW1(config-if)#switchport mode access
SW1(config-if)#switchport access vlan 10
SW1#show interfaces ethernet0/1 switchport
Name: Et0/1
Switchport: Enabled
Administrative Mode: static access <-- # dynamic auto (Default) # -->
Operational Mode: static access
Administrative Trunking Encapsulation: negotiate
Operational Trunking Encapsulation: native
Negotiation of Trunking: Off <--- # It must be "off" status # --> **
Access Mode VLAN: 10 (Employee)
Trunking Native Mode VLAN: 1 (default)
Administrative Native VLAN tagging: enabled
Voice VLAN: none
Administrative private-vlan host-association: none
Administrative private-vlan mapping: none
Administrative private-vlan trunk native VLAN: none
Administrative private-vlan trunk Native VLAN tagging: enabled
Administrative private-vlan trunk encapsulation: dot1q
Administrative private-vlan trunk normal VLANs: none
Administrative private-vlan trunk associations: none
Administrative private-vlan trunk mappings: none
Operational private-vlan: none
Trunking VLANs Enabled: ALL
Pruning VLANs Enabled: 2-1001
Capture Mode Disabled
Capture VLANs Allowed: ALL
Protected: false
Appliance trust: none
Switch2
SW2(config)#interface ethernet0/0
SW2(config-if)#switchport mode access
SW2(config-if)#switchport access vlan 20
SW2(config-if)#exit
SW2#show interfaces ethernet0/0 switchport
Name: Et0/0
Switchport: Enabled
Administrative Mode: static access <-- # dynamic auto (Default) # -->
Operational Mode: static access
Administrative Trunking Encapsulation: negotiate
Operational Trunking Encapsulation: native
Negotiation of Trunking: Off <--- # It should be "off" status # --> **
Access Mode VLAN: 20 (Marketing)
Trunking Native Mode VLAN: 1 (default)
Administrative Native VLAN tagging: enabled
Voice VLAN: none
Administrative private-vlan host-association: none
Administrative private-vlan mapping: none
Administrative private-vlan trunk native VLAN: none
Administrative private-vlan trunk Native VLAN tagging: enabled
Administrative private-vlan trunk encapsulation: dot1q
Administrative private-vlan trunk normal VLANs: none
Administrative private-vlan trunk associations: none
Administrative private-vlan trunk mappings: none
Operational private-vlan: none
Trunking VLANs Enabled: ALL
Pruning VLANs Enabled: 2-1001
Capture Mode Disabled
Capture VLANs Allowed: ALL
Protected: false
Appliance trust: none
Step 4: Configure Trunk ports
Switch1
SW1(config)#interface ethernet3/3
SW1(config-if)#switchport trunk encapsulation dot1q
SW1(config-if)#switchport mode trunk
SW1(config-if)#switchport trunk allowed vlan 10,20
Switch2
SW2(config)#interface ethernet3/3
SW2(config-if)#switchport trunk encapsulation dot1q
SW2(config-if)#switchport mode trunk
SW2(config-if)#switchport trunk allowed vlan 10,20
Step 5: Disable Trunk Negotiation
You can disable trunk negotiation on each of the switches by entering each of the following commands on each switch.
Switch1
SW1(config-if)#switchport nonegotiate
Then confirm that trunk negotiation has been disabled
SW1#show interfaces ethernet3/3 switchport
Name: Et3/3
Switchport: Enabled
Administrative Mode: trunk <-- # dynamic auto (Default) # -->
Operational Mode: trunk
Administrative Trunking Encapsulation: dot1q
Operational Trunking Encapsulation: dot1q
Negotiation of Trunking: Off <--- # It must be "off" status # --> **
Access Mode VLAN: 1 (default)
Trunking Native Mode VLAN: 1 (default)
Administrative Native VLAN tagging: enabled
Voice VLAN: none
Administrative private-vlan host-association: none
Administrative private-vlan mapping: none
Administrative private-vlan trunk native VLAN: none
Administrative private-vlan trunk Native VLAN tagging: enabled
Administrative private-vlan trunk encapsulation: dot1q
Administrative private-vlan trunk normal VLANs: none
Administrative private-vlan trunk associations: none
Administrative private-vlan trunk mappings: none
Operational private-vlan: none
Trunking VLANs Enabled: 10,20
Pruning VLANs Enabled: 2-1001
Capture Mode Disabled
Capture VLANs Allowed: ALL
Protected: false
Appliance trust: none
Switch2
SW2(config-if)#switchport nonegotiate
Then, confirm that it has been disabled;
SW2#show interfaces ethernet3/3 switchport
Name: Et3/3
Switchport: Enabled
Administrative Mode: trunk <-- # dynamic auto (Default) # -->
Operational Mode: trunk
Administrative Trunking Encapsulation: dot1q
Operational Trunking Encapsulation: dot1q
Negotiation of Trunking: Off <--- # It must be "off" status # --> **
Access Mode VLAN: 1 (default)
Trunking Native Mode VLAN: 1 (default)
Administrative Native VLAN tagging: enabled
Voice VLAN: none
Administrative private-vlan host-association: none
Administrative private-vlan mapping: none
Administrative private-vlan trunk native VLAN: none
Administrative private-vlan trunk Native VLAN tagging: enabled
Administrative private-vlan trunk encapsulation: dot1q
Administrative private-vlan trunk normal VLANs: none
Administrative private-vlan trunk associations: none
Administrative private-vlan trunk mappings: none
Operational private-vlan: none
Trunking VLANs Enabled: 10,20
Pruning VLANs Enabled: 2-1001
Capture Mode Disabled
Capture VLANs Allowed: ALL
Protected: false
Appliance trust: none
I am a passionate Networking Associate specializing in Telecommunications.
With a degree in Electronic engineering, I possess a strong understanding of electronic systems and the intricacies of telecommunications networks. I gained practical experience and valuable insights working for a prominent telecommunications company.
Additionally, I hold certifications in networking, which have solidified my expertise in network architecture, protocols, and optimization.
Through my writing skills, I aim to provide accurate and valuable knowledge in the networking field.
Connect with me on social media using the links below for more insights.
You can contact me using [email protected] or connect with me using any of the social media account linked below