From: Cielieska Nathan (ncielieska@gmail.com)
Date: Tue Dec 18 2007 - 17:16:13 ART
Andy,
I think that your voice vlan is under the same scrutiny as your data
traffic. I would Native Vlan out something erroneous (like have vlan
300 as your native vlan, and no other ports in your network native
except for the trunks, in essence removing untagged traffic). I saw
another command on the board the other day that was interesting:
vlan dot1q native tag (command that tags your native as well) to
elminate the dot1q runaround with untagged traffic.
Maybe apply some mac address security with
limit allowed trunks (disregarding the native vlan) on pertinent trunks
On access ports
int f0/1
switchport port-security mac-address <phone mac>
switchport port-security mac-address <pc mac>
switchport port-security maximum 2
switchport port-security violation shut
Regards,
Nate
On Dec 18, 2007, at 1:33 PM, Gustavo Novais wrote:
> Hi Andy,
>
> IMHO the phones let the traffic from the clients go untagged on the
> trunk. So if you are using a different vlan as native I think you'd
> have connectivity problems with that config.
>
> Remember also that forcing the mode to access disables the
> reception of tagged frames on the switch port. You could eventually
> tag the frames you are sending with the vlan tag of the access port
> you're connected to, but If read somewhere that cisco switches are
> not vulnerable to that.
>
> Honestly, what I'd be worried is that there are some publicly
> available software that you can run on your PC to impersonate a
> Cisco IP Phone, and thus have access to the voice vlan, which is
> often overlooked security wise and for example, MITM in a voice
> conversation.
>
> For reference read Cisco Press - LAN Switch Security. It is a great
> book on L2 security subject, and it addresses vlan hopping attacks.
>
> For the ip phone "impersonation" see VoIP Hopper and such.
> Gustavo Novais
>
>
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On
> Behalf Of Anderson Mota Alves
> Sent: terga-feira, 18 de Dezembro de 2007 17:34
> To: ccielab@groupstudy.com
> Subject: VLAN Hopping
>
> Hi guys,
>
> The concept I have about vlan hopping is that basically you disable
> DTP in a
> cisco to not let the attacker change the port to a trunk and the
> second method
> that can be used is to avoid the attacker to send traffic from one
> switch to
> another using two 802.1Q tags one for the attacking switch and the
> other for
> the victim and in a 802.1Q it goes under native (untagged packet)
> so my
> question is.
>
> Imagine I have in my company the need to configure a port in trunk
> mode with
> voice going to one vlan and data to another, let's say data for
> vlan 45 and
> voice vlan 50.
>
> I would do something like this:
>
> int fa0/0
> switchport trunk encapsulation dot1q
> switchport mode trunk
> no switchport negotiation
> switchport voice vlan 50
> switchport access vlan 50
> switchport trunk vlan native 500
>
> my question is that my config above would be a better approach,
> also if
> putting the native vlan in the router in a vlan that doesn't exist
> in the
> switch or without ports assign into it would avoid the two tagging
> of 802.1Q.
>
> Could someone shed a light here since I've been reading forums and
> books and
> I'm still confused about it.
>
>
> Thanks a million
> _________________________________________________________________
> Express yourself instantly with MSN Messenger! Download today it's
> FREE!
> http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/
>
> ______________________________________________________________________
> _
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
> ______________________________________________________________________
> _
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
This archive was generated by hypermail 2.1.4 : Tue Jan 01 2008 - 12:04:31 ARST