To prevent a basic switch spoofing VLAN hopping attack involves explicitly turning off DTP on all user ports (by
placing the port in access mode using the switchport mode access command) except the ports that
specifically require DTP, such as the trunk ports. In addition, it involves disabling all unused switch ports by
placing them in an unused VLAN (separate VLAN).
To prevent a double tagging, a double encapsulated VLAN hopping attack, ensure that the native VLAN-ID on all
the trunk ports is different from the native VLAN-ID of the user ports. It is best to use a dedicated VLAN that is
specific for all the trunk ports, and not the default native VLAN-ID either. Using VLAN 1 should always be
avoided. Configuring the native VLAN to tag all traffic prevents the vulnerability of double dot1Q-tagged packets
hopping VLANs. Enable the vlan dot1q tag native command from the global configuration mode on the edge
switch to tag all packets on all the 802.1Q trunk ports, including the native VLAN egress traffic, and drop
untagged native VLAN ingress traffic. This command was introduced in Cisco Catalyst IOS release 12.1(9)EA1.
For older versions, the native VLAN should be changed to an unused VLAN number on both sides of the trunk.
Pages:
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413