Rule ID
SV-273693r1110996_rule
Version
V1R1
CCIs
VLAN hopping can be initiated by an attacker who has access to a switch port belonging to the same VLAN as the native VLAN of the trunk link connecting to another switch that the victim is connected to. If the attacker knows the victim's MAC address, it can forge a frame with two 802.1q tags and a layer 2 header with the destination address of the victim. Since the frame will ingress the switch from a port belonging to its native VLAN, the trunk port connecting to the victim's switch will simply remove the outer tag because native VLAN traffic is to be untagged. The switch will forward the frame on to the trunk link unaware of the inner tag with a VLAN ID of which the victim's switch port is a member.
Examine the ports associated with the default VLAN.
device#show vlans
Total PORT-VLAN entries: 2
Maximum PORT-VLAN entries: 1024
Legend: [Stk=Stack-Id, S=Slot]
PORT-VLAN 4505, Name DEFAULT-VLAN, Priority level0, On
Untagged Ports: (U1/M1)
Untagged Ports: (U1/M1)
Untagged Ports: (U1/M1)
Untagged Ports: (U1/M1)
Untagged Ports: (U1/M2)
Tagged Ports: None
Mac-Vlan Ports: None
Monitoring: Disabled
device#
If any 802.1q trunk interfaces (with tagged VLANs) also have the default VLAN assigned as the native VLAN (i.e., untagged), this is a finding.If a trunk port (1/2/1 below) also has the default VLAN assigned as the native VLAN (i.e., untagged), remove that interface from the default VLAN. device# configure terminal device(config)# default-vlan-id 4505 device(config)# vlan 4505 device(config-vlan-4505)# no untag ethernet 1/2/1