The Company security administrator is concerned with VLAN hopping based attacks. Which
two statements about these attacks are true? (Select two)
A.
Attacks are prevented by utilizing the port-security feature.
B.
An end station attempts to gain access to all VLANs by transmitting Ethernet frames
in the 802.1q encapsulation.
C.
Configuring an interface with the switchport mode dynamic command will prevent
VLAN hopping.
D.
An end station attempts to redirect VLAN traffic by transmitting Ethernet frames in the
802.1q encapsulation.
E.
Configuring an interface with the “switchport mode access” command will prevent
VLAN hopping.
Explanation:
One of the areas of concern with Layer 2 security is the variety of mechanisms by which
packets that are sent from one VLAN may be intercepted or redirected to another VLAN,
which is called VLAN hopping. VLAN hopping attacks are designed to allow attackers to
bypass a Layer 3 device when communicating from one VLAN to another. The attack works
by taking advantage of an incorrectly configured trunk port.
It is important to note that this type of attack does not work on a single switch because the
frame will never be forwarded to the destination. But in a multiswitch environment, a trunk
link could be exploited to transmit the packet. There are two different types of VLAN hopping
attacks:
Switch spoofing— The network attacker configures a system to spoof itself as a switch by
emulating either ISL or 802.1q, and DTP signaling. This makes the attacker appear to be a
switch with a trunk port and therefore a member of all VLANs.
Double tagging— Another variation of the VLAN hopping attack involves tagging the
transmitted frames with two 802.1q headers. Most switches today perform only one level of
decapsulation. So when the first switch sees the double-tagged frame, it strips the first tag
off the frame and then forwards with the inner 802.1q tag to all switch ports in the attacker’s
VLAN as well as to all trunk ports. The second switch forwards the packet based on the
VLAN ID in the second 802.1q header. This type of attack works even if the trunk ports are
set to off.
Mitigating VLAN hopping attacks requires the following configuration modifications:
Always use dedicated VLAN IDs for all trunk ports.
Disable all unused ports and place them in an unused VLAN.
Set all user ports to nontrunking mode by disabling DTP. Use the switchport mode access
command in the interface configuration mode.
For backbone switch-to-switch connections, explicitly configure trunking.
Do not use the user native VLAN as the trunk port native VLAN.
Do not use VLAN 1 as the switch management VLAN.
Reference: http://www.ciscopress.com/articles/article.asp?p=474239&seqNum=2