From: Anderson Mota Alves (mota_anderson@hotmail.com)
Date: Tue Dec 18 2007 - 18:23:20 ART
Thanks for all the replies,
I typo the access vlan data it should be
int fa0/0switchport trunk encapsulation dot1qswitchport mode trunkno
switchport negotiationswitchport voice vlan 50switchport access vlan
45switchport trunk vlan native 500
http://www.cisco.com/en/US/products/hw/switches/ps708/products_white_paper091
86a008013159f.shtml
This is a section I extracted from the link above:
proper configuration that should always be used is to clear the native VLAN
from all 802.1Q trunks (alternatively, setting them to 802.1q-all-tagged mode
achieves the exact same result). In cases where the native VLAN cannot be
cleared, then always pick an unused VLAN as native VLAN of all the trunks;
don't use this VLAN for any other purpose
What Cielieska said about tagging the native vlan would also be a nice
approach IMHO.
> CC: mota_anderson@hotmail.com; ccielab@groupstudy.com> From:
ncielieska@gmail.com> Subject: Re: VLAN Hopping> Date: Tue, 18 Dec 2007
15:16:13 -0500> To: gustavo.novais@novabase.pt> > Andy,> > I think that your
voice vlan is under the same scrutiny as your data > traffic. I would Native
Vlan out something erroneous (like have vlan > 300 as your native vlan, and no
other ports in your network native > except for the trunks, in essence
removing untagged traffic). I saw > another command on the board the other day
that was interesting:> > vlan dot1q native tag (command that tags your native
as well) to > elminate the dot1q runaround with untagged traffic.> > Maybe
apply some mac address security with> > limit allowed trunks (disregarding the
native vlan) on pertinent trunks> > On access ports> > int f0/1> switchport
port-security mac-address <phone mac>> switchport port-security mac-address
<pc mac>> switchport port-security maximum 2> switchport port-security
violation shut> > Regards,> Nate> > On Dec 18, 2007, at 1:33 PM, Gustavo
Novais wrote:> > > Hi Andy,> >> > IMHO the phones let the traffic from the
clients go untagged on the > > trunk. So if you are using a different vlan as
native I think you'd > > have connectivity problems with that config.> >> >
Remember also that forcing the mode to access disables the > > reception of
tagged frames on the switch port. You could eventually > > tag the frames you
are sending with the vlan tag of the access port > > you're connected to, but
If read somewhere that cisco switches are > > not vulnerable to that.> >> >
Honestly, what I'd be worried is that there are some publicly > > available
software that you can run on your PC to impersonate a > > Cisco IP Phone, and
thus have access to the voice vlan, which is > > often overlooked security
wise and for example, MITM in a voice > > conversation.> >> > For reference
read Cisco Press - LAN Switch Security. It is a great > > book on L2 security
subject, and it addresses vlan hopping attacks.> >> > For the ip phone
"impersonation" see VoIP Hopper and such.> > Gustavo Novais> >> >> >> >
-----Original Message-----> > From: nobody@groupstudy.com
[mailto:nobody@groupstudy.com] On > > Behalf Of Anderson Mota Alves> > Sent:
terga-feira, 18 de Dezembro de 2007 17:34> > To: ccielab@groupstudy.com> >
Subject: VLAN Hopping> >> > Hi guys,> >> > The concept I have about vlan
hopping is that basically you disable > > DTP in a> > cisco to not let the
attacker change the port to a trunk and the > > second method> > that can be
used is to avoid the attacker to send traffic from one > > switch to> >
another using two 802.1Q tags one for the attacking switch and the > > other
for> > the victim and in a 802.1Q it goes under native (untagged packet) > >
so my> > question is.> >> > Imagine I have in my company the need to configure
a port in trunk > > mode with> > voice going to one vlan and data to another,
let's say data for > > vlan 45 and> > voice vlan 50.> >> > I would do
something like this:> >> > int fa0/0> > switchport trunk encapsulation dot1q>
> switchport mode trunk> > no switchport negotiation> > switchport voice vlan
50> > switchport access vlan 50> > switchport trunk vlan native 500> >> > my
question is that my config above would be a better approach, > > also if> >
putting the native vlan in the router in a vlan that doesn't exist > > in the>
> switch or without ports assign into it would avoid the two tagging > > of
802.1Q.> >> > Could someone shed a light here since I've been reading forums
and > > books and> > I'm still confused about it.> >> >> > Thanks a million> >
This archive was generated by hypermail 2.1.4 : Tue Jan 01 2008 - 12:04:31 ARST