VLAN Hopping
Could someone tell me if newer versions of IOS have fixed this issue?
It seems that a logical fix to this security exploit is to FILTER tagged frames on access ports. I know you can do this manually with ACLs, but I'm wondering if Cisco has implemented this as default behavior?
It seems that a logical fix to this security exploit is to FILTER tagged frames on access ports. I know you can do this manually with ACLs, but I'm wondering if Cisco has implemented this as default behavior?
Comments
-
ColbyG
Member Posts: 1,264
Why would there be tagged frames on ports that were hard coded to access? -
networker050184
Mod Posts: 11,962 Mod
Why would there be tagged frames on ports that were hard coded to access?
Because someone is trying to double tag to gain access to another VLAN.
The issue is not fixed in any IOS that I know of. In order to "hop" VLANs the host attacker has to double tag the frame because the switch will strip the first tag. If you configure your trunks correctly you never have to worry about VLAN hopping anyway.An expert is a man who has made all the mistakes which can be made. -
yuriz43
Member Posts: 121
Ok, so the only way to prevent this type of attack is to assign an unused vlan as native, or disable the native vlan on your dot1q trunks. -
ColbyG
Member Posts: 1,264
networker050184 wrote: »Because someone is trying to double tag to gain access to another VLAN.
The issue is not fixed in any IOS that I know of. In order to "hop" VLANs the host attacker has to double tag the frame because the switch will strip the first tag. If you configure your trunks correctly you never have to worry about VLAN hopping anyway.
Wow... that's pretty cool. Just did some reading about it.
