How can you mitigate attacks in which the attacker attaches more than one VLAN tag to a packet?

How can you mitigate attacks in which the attacker attaches more than one VLAN tag to a packet?
A. Disable EtherChannel
B. Enable transparent VTP on the switch
C. Explicitly identify each VLAN allowed across the trunk
D. Assign an access VLAN to every active port on the switch

cisco-exams

8 thoughts on “How can you mitigate attacks in which the attacker attaches more than one VLAN tag to a packet?

  1. C is correct.
    double tagging is causes native vlan . attacker use native vlan for double tagging.
    If we remove native vlan from trunk then mitigate the attack.
    #sw tr native vlan 800
    #switchport trunk allowed remove vlan 800

  2. I hate badmouthing Cisco but their exams suck. They are all over the board but in this case… The CCNA Sec is pretty good

    From CCNP Security Secure 642-637

    Switches implement virtual LANs (VLAN). Users connect to access ports that are members of a VLAN as specified in the switch configuration. VLAN hopping is where a user can gain access to a VLAN not assigned to the switch port to which the user connects.

    NOTE

    When statically assigning MAC addresses, be careful of the possible support overhead that will be required for any moves or changes to the end-user infrastructure.

    A user can achieve this in two ways against the default configuration of a Cisco switch port. The first and most commonly used VLAN hopping method is where the attacker makes his workstation act as a trunk port. Most switches, in the default configuration, need only one side of a connection to announce themselves as a trunk; then the switch automatically trunks all available VLANs over the switch port. This results in the attacker seeing all traffic across all VLANs.

    The second way an attacker can hop VLANs is by using double tagging. With double tagging, the attacker inserts a second 802.1q tag in front of the existing 802.1q tag. This relies on the switch stripping off only the first 802.1q tag and leaving itself vulnerable to the second tag. This is not as common a method of VLAN hopping as using trunking.

    To ensure you do not fall foul of a VLAN hopping attack, you must ensure that all your user ports are assigned as access mode ports. Any unused ports should be disabled and set as access mode ports by default.

    To set a switch port to access mode, use the following configuration command from interface configuration mode:

    Switch(config-if)# switchport mode access
    By entering this command at the interface level, you switch the port into access mode; this port can never become a trunk port. It is a good practice to get into to ensure that all ports are configured in the correct mode. This should form part of your deployment strategy for all access layer switches in use within your organization.

    When configuring a trunk port, the native VLAN need to be set to a unique VLAN, which is not routable or used elsewhere. To set a native VLAN on a trunk port, use the following configuration command from interface configuration mode:

    Switch(config-if)# switchport trunk native vlan {number}

  3. @Adam
    reconsider your answer. The question is about VLAN – hopping and “C” does not mitigate this. To my understanding, they want us to assign to every active unused port a different VLAN as VLAN1 – which by default is native = no tag, therefore vulnerable to VLAN hopping. I would go with “D”

    1. Hello Adam…….Answer seems to be D from what I read.
      Can you explain why C is correct or if you have any documentation on that.
      Thank you!!

Leave a Reply

Your email address will not be published. Required fields are marked *


The reCAPTCHA verification period has expired. Please reload the page.