Switch Spoofing

In a switch spoofing attack, the network attacker configures a system to spoof itself as a switch. The attack emulates Inter-Switch Link (ISL) or 802.1Q signaling along with Dynamic Trunking Protocol (DTP). This is signaling in an attempt to establish a trunk connection to the switch.

Any switch port configured as DTP auto, upon receipt of a DTP packet generated by the attacking device, may become a trunk port and thereby accept traffic destined for any VLAN supported on that trunk. The malicious device can then send packets to, or collect packets from, any VLAN carried on the negotiated trunk.

Switch Spoofing Sequence of Events

The table describes the switch spoofing sequence of events.




Attacker gains access to a switch port and sends DTP negotiation frames toward a switch with DTP running and auto negotiation turned on (often, the default settings).


Attacker and switch negotiate trunking over the port.


Switch allows all VLANs (default) to traverse the trunk link.


Attacker sends data to, or collects it from, all VLANs carried on that trunk.

Minimizing Service Loss and Data Theft in a Campus Network

Double Tagging

This subtopic describes double tagging as a means of VLAN hopping.

VLAN Hopping with Double Tagging

Double tagging allows a frame to be forwarded to a destination VLAN other than the source's VLAN.

Another method of VLAN hopping is for any workstation to generate frames with two 802.1Q headers to cause the switch to forward the frames onto a VLAN that would be inaccessible to the attacker through legitimate means.

The first switch to encounter the double-tagged frame strips the first tag off the frame, because the first tag (VLAN 10) matches the trunk port native VLAN, and then forwards the frame out.

The result is that the frame is forwarded, with the inner 802.1Q tag, out all the switch ports, including trunk ports configured with the native VLAN of the network attacker. The second switch then forwards the packet to the destination based on the VLAN ID in the second 802.1Q header. Should the trunk not match the native VLAN of the attacker, the frame would be untagged and flooded to only the original VLAN.

Double-Tagging Method of VLAN Hopping

The table describes the double-tagging method of VLAN hopping.




Workstation A (native VLAN 10) sends a frame with two 802.1Q headers to switch 1.


Switch 1 strips the outer tag and forwards the frame to all ports within same native VLAN.


Switch 2 interprets frame according to information in the inner tag marked with VLAN ID 20.


Switch 2 forwards the frame out all ports associated with VLAN 20, including trunk ports.

8-28 Building Cisco Multilayer Switched Networks (BCMSN) v3.0 © 2006 Cisco Systems, Inc.

This topic describes how to mitigate VLAN hopping attacks.

Mitigating VLAN Hopping

Switch(config)# interface-range type mod/port-port

• Selects a range of interfaces to configure

Switch(config-if)#switchport mode access

• Configures the ports as access ports and turns off DTP

Switch(config-if)#switchport access vlan vlan-id

• Statically assigns the ports to specific unused VLAN

©2006 — — __ 1

The measures to defend the network from VLAN hopping are a series of best practices for all switch ports and parameters to follow when establishing a trunk port.

■ Configure all unused ports as access ports so that trunking cannot be negotiated across those links.

■ Place all unused ports in the shutdown state and associate them with a VLAN designed for only unused ports, carrying no user data traffic.

■ When establishing a trunk link, purposefully configure arguments so that:

— The native VLAN will be different from any data VLANs

— Trunking is set up as "on," rather than as "negotiated"

— The specific VLAN range will be carried on the trunk

Note The configuration commands in the figure will not work on access ports that support VoIP

because they will be configured as trunk ports. However, on all other access ports, it is best practice to apply these commands to mitigate VLAN hopping.

Minimizing Service Loss and Data Theft in a Campus Network

Access control lists (ACLs) are useful for controlling access in a multilayer switched network. This topic describes VACLs and their purpose as part of VLAN security.

Cisco Systems multilayer switches support three types of ACLs:

■ Router access control lists (RACLs): Supported in the TCAM hardware on Cisco multilayer switches. In Catalyst switches, RACL can be applied to any routed interface, such as a switch virtual interface (SVI) or Layer 3 routed port.

■ Port access control list (PACL): Filters traffic at the port level. PACLs can be applied on a Layer 2 switch port, trunk port, or EtherChannel port.

■ VACLs: Supported in software on Cisco multilayer switches.

Catalyst switches support four ACL lookups per packet: input and output security ACL and input and output quality of service (QoS) ACL.

Catalyst switches use two methods of performing a merge: order independent and order dependent. With order-independent merge, ACLs are transformed from a series of order-dependent actions to a set of order-independent masks and patterns. The resulting access control entry (ACE) can be very large. The merge is processor and memory intensive.

Order-dependent merge is a recent improvement on some Catalyst switches in which ACLs retain their order-dependent aspect. The computation is much faster and is less processor-intensive.

RACLs are supported in hardware through IP standard ACLs and IP extended ACLs, with permit and deny actions. ACL processing is an intrinsic part of the packet forwarding process. ACL entries are programmed in hardware. Lookups occur in the pipeline, whether ACLs are configured or not. With RACLs, access list statistics and logging are not supported.


Building Cisco Multilayer Switched Networks (BCMSN) v3.0

© 2006 Cisco Systems, Inc.

Was this article helpful?

0 0

Post a comment