secure vlan trunking
1. VLAN Hopping with Switch Spoofing
2. VLAN Hopping with double-tagged<\/p>\n\n\n\n
…………………………………………………………………..<\/p>\n\n\n\n
vlan hopping with Switch Spoofing<\/strong> \u8aaa\u660e solution1<\/strong> solution2<\/strong> the way ,an end user never will be able to send any type of spoofed traffic that will make the switch port begin trunking.<\/p>\n\n\n\n …………………………………………………….<\/p>\n\n\n\n VLAN Hopping with double-tagged<\/strong> the attack success conditions must exist<\/strong> VLAN Hopping Attack Process<\/strong> solution1<\/strong> To force a switch to tag the native VLAN on all its 802.1Q trunks secure vlan trunking1. VLAN Ho …<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"","fifu_image_alt":"","_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":false,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2}},"categories":[31],"tags":[],"class_list":["post-880","post","type-post","status-publish","format-standard","hentry","category-cisco-security"],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/posts\/880","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/comments?post=880"}],"version-history":[{"count":0,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/posts\/880\/revisions"}],"wp:attachment":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/media?parent=880"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/categories?post=880"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/tags?post=880"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
to Gain Access to a Trunk
DTP can make switch administration easier,but it also can expose switch ports to be compromised.<\/p>\n\n\n\n
a switch port is left to its default configuration(trunking mode is auto) . Normally, the switch port would wait to be asked by another switch in the auto or on mode to become a trunk.
Possible as follows:
A well-behaved end user:<\/strong>
\u30001. would not use DTP at all,
\u30002. so the port would come up in access mode with a single-access VLAN.
A malicious user:<\/strong>
\u30001. might exploit the use of DTP
\u30002. and attempt to negotiate a trunk with the switch port.
\u5f8c\u679c
This makes the PC appear to be another switch; in effect, the PC is spoofing a switch
\u5371\u5bb3
After the trunk is negotiated, the attacker has access to any VLAN<\/strong> that is permitted to pass over the trunk<\/p>\n\n\n\n
to configure every switch port to have an expected and controlled behavior
configure it to static access mode
(config-if)# switchport mode access<\/strong><\/p>\n\n\n\n
turn off DTP on all ports
(config-if)#switchport nonegotiate<\/strong><\/p>\n\n\n\n
an attacker positioned on one access VLAN can craft and send frames with spoofed 802.1Q tags so that the packet payloads ultimately appear on a totally different VLAN, all without the use of a router<\/p>\n\n\n\n
1. The attacker is connected to an access switch port<\/strong>.
2. The same switch must have an 802.1Q trunk<\/strong>.
3. The trunk must have the attacker’s access VLAN as its native VLAN<\/strong><\/p>\n\n\n\n
\u74b0\u5883\u8aaa\u660e:attacker\u9023\u63a5\u4e4baccess port\u70bavlan1 , \u8a72switch\u4f7f\u7528trunk\u4e14native vlan\u70ba1
1.
Attacker Sends a Double-Tagged Packet onto His Local Access VLAN
attack on vlan1 —[vlan1][vlan20][payload]—> (access)switch A
2.
When switch A Is Ready to Forward the Packet onto the Trunk,
the First Tag Is Stripped Because it Is the Same as the Trunk’s Native VLAN
switch A(trunk) ===[vlan20][payload]===> (trunk)switch B
3.
The Packet Is Received by switch B; as the Second Tag Is Stripped,
it Appears to Identify the Source VLAN as VLAN 20
switch B(access) —[payload]—> USER on vlan20
4.
The Packet Originally from VLAN 1 Is Now Sent into VLAN 20<\/p>\n\n\n\n
solution0<\/strong>
\u907f\u514dnative vlan\u548cuser\u7684access vlan\u8a2d\u70ba\u540c\u4e00\u500b<\/p>\n\n\n\n
configure trunk links with the following steps:
Step 1. Set the native VLAN of a trunk to a bogus or unused VLAN ID.
Step 2. Prune the native VLAN off both ends of the trunk
ps:
Although maintenance protocols such as CDP, PAgP, and DTP normally are carried over the native VLAN of a trunk, they will not be affected if the native VLAN is pruned from the trunk.
They still will be sent and received on the native VLAN as a special case even if the native VLAN ID is not in the list of allowed VLANs
ex:
suppose that an 802.1Q trunk should carry only VLANs 10 and 20. You
should set the native VLAN to an unused value, such as 800. Then you should remove
VLAN 800 from the trunk so that it is confined to the trunk link itself.
Switch(config)# vlan 800
Switch(config-vlan)# name bogus_native
Switch(config-vlan)# exit
Switch(config)# interface gigabitethernet 1\/1
Switch(config-if)# switchport trunk encapsulation dot1q
Switch(config-if)# switchport trunk native vlan 800
Switch(config-if)# switchport trunk allowed vlan remove 800
Switch(config-if)# switchport mode trunk<\/p>\n\n\n\n
soluction2<\/strong>
to force all 802.1Q trunks to add tags to frames for the native VLAN, too
\u8aaa\u660e:
The double-tagged VLAN hopping attack won’t work because the switch won’t remove the
first tag with the native VLAN ID
\u6b65\u9a5f
1. that tag will remain on the spoofed frame as it enters the trunk
2. At the far end of the trunk, the same tag will be examined, and the frame will stay on the original access VLAN<\/p>\n\n\n\n
(config)# vlan dot1q tag native<\/strong><\/p>\n","protected":false},"excerpt":{"rendered":"