RE: VLAN Hopping

From: Gustavo Novais (gustavo.novais@novabase.pt)
Date: Tue Dec 18 2007 - 15:33:44 ART

• Next message: Chris Riling: "OT: Bootcamp Review - CCBOOTCAMP CCIE Exec / Narbik Kocharians"
• Previous message: Farhan Anwar: "Re: Simple IPv6 question"
• Maybe in reply to: Anderson Mota Alves: "VLAN Hopping"
• Next in thread: Cielieska Nathan: "Re: VLAN Hopping"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Hi Andy,

IMHO the phones let the traffic from the clients go untagged on the trunk. So if you are using a different vlan as native I think you'd have connectivity problems with that config.

Remember also that forcing the mode to access disables the reception of tagged frames on the switch port. You could eventually tag the frames you are sending with the vlan tag of the access port you're connected to, but If read somewhere that cisco switches are not vulnerable to that.

Honestly, what I'd be worried is that there are some publicly available software that you can run on your PC to impersonate a Cisco IP Phone, and thus have access to the voice vlan, which is often overlooked security wise and for example, MITM in a voice conversation.

For reference read Cisco Press - LAN Switch Security. It is a great book on L2 security subject, and it addresses vlan hopping attacks.

For the ip phone "impersonation" see VoIP Hopper and such.
Gustavo Novais

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of Anderson Mota Alves
Sent: terga-feira, 18 de Dezembro de 2007 17:34
To: ccielab@groupstudy.com
Subject: VLAN Hopping

Hi guys,

The concept I have about vlan hopping is that basically you disable DTP in a
cisco to not let the attacker change the port to a trunk and the second method
that can be used is to avoid the attacker to send traffic from one switch to
another using two 802.1Q tags one for the attacking switch and the other for
the victim and in a 802.1Q it goes under native (untagged packet) so my
question is.

Imagine I have in my company the need to configure a port in trunk mode with
voice going to one vlan and data to another, let's say data for vlan 45 and
voice vlan 50.

I would do something like this:

int fa0/0
switchport trunk encapsulation dot1q
switchport mode trunk
no switchport negotiation
switchport voice vlan 50
switchport access vlan 50
switchport trunk vlan native 500

my question is that my config above would be a better approach, also if
putting the native vlan in the router in a vlan that doesn't exist in the
switch or without ports assign into it would avoid the two tagging of 802.1Q.

Could someone shed a light here since I've been reading forums and books and
I'm still confused about it.

Thanks a million

• Next message: Chris Riling: "OT: Bootcamp Review - CCBOOTCAMP CCIE Exec / Narbik Kocharians"
• Previous message: Farhan Anwar: "Re: Simple IPv6 question"
• Maybe in reply to: Anderson Mota Alves: "VLAN Hopping"
• Next in thread: Cielieska Nathan: "Re: VLAN Hopping"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Tue Jan 01 2008 - 12:04:31 ARST