© 2006 Cisco Systems, Inc. All rights reserved. BCMSN v Minimizing Service Loss and Data Theft in a Campus Network Protecting Against VLAN Attacks

© 2006 Cisco Systems, Inc. All rights reserved. BCMSN v Explaining VLAN Hopping Attacking system spoofs itself as a legitimate trunk negotiating device. Trunk link is negotiated dynamically. Attacking device gains access to data on all VLANs carried by the negotiated trunk.

© 2006 Cisco Systems, Inc. All rights reserved. BCMSN v VLAN Hopping with Double Tagging Double tagging allows a frame to be forwarded to a destination VLAN other than the sources VLAN.

© 2006 Cisco Systems, Inc. All rights reserved. BCMSN v Mitigating VLAN Hopping Switch(config-if)#switchport access vlan vlan-id Statically assigns the ports to specific unused VLAN Switch(config-if)#switchport mode access Configures the ports as access ports and turns off DTP Selects a range of interfaces to configure Switch(config)# interface-range type mod/port-port

© 2006 Cisco Systems, Inc. All rights reserved. BCMSN v Types of ACLs

© 2006 Cisco Systems, Inc. All rights reserved. BCMSN v Configuring VACLs Switch(config)#vlan access-map map_name [seq#] Defines a VLAN access map Switch(config-access-map)# match {ip address {1-199 | | acl_name} | ipx address { | acl_name}| mac address acl_name} Configures the match clause in a VLAN access map sequence Switch(config-access-map)#action {drop [log]} | {forward [capture]} | {redirect {type slot/port} | {port-channel channel_id}} Configures the action clause in a VLAN access map sequence Switch(config)#vlan filter map_name vlan_list list Applies the VLAN access map to the specified VLANs

© 2006 Cisco Systems, Inc. All rights reserved. BCMSN v Private VLANS

© 2006 Cisco Systems, Inc. All rights reserved. BCMSN v PVLAN Port Types Isolated: Communicate with only promiscuous ports Promiscuous: Communicate with all other ports Community: Communicate with other members of community and all promiscuous ports

© 2006 Cisco Systems, Inc. All rights reserved. BCMSN v Configuring PVLANs Switch(config-vlan)#private-vlan [primary | isolated | community] Configures a VLAN as a PVLAN Switch(config-vlan)#private-vlan association {secondary_vlan_list | add svl | remove svl} Associates secondary VLANs with the primary VLAN Switch#show vlan private-vlan type Verifies PVLAN configuration

© 2006 Cisco Systems, Inc. All rights reserved. BCMSN v Configuring PVLAN Ports Switch(config-if)#switchport mode private-vlan {host | promiscuous} Configures an interface as a PVLAN port Switch(config-if)#switchport private-vlan host-association {primary_vlan_ID secondary_vlan_ID Associates an isolated or community port with a PVLAN Switch#show interfaces private-vlan mapping Verifies PVLAN port configuration Switch(config-if)#private-vlan mapping primary_vlan_ID {secondary_vlan_list | add svl | remove svl } Maps a promiscuous PVLAN port to a PVLAN

© 2006 Cisco Systems, Inc. All rights reserved. BCMSN v Summary VLAN hopping can allow Layer 2 unauthorized access to another VLAN. VLAN hopping can be mitigated by: –Properly configuring 802.1Q trunks –Turning off trunk negotiation Access lists can be applied to VLANs to limit Layer 2 access. VACLs can be configured on Cisco Catalyst switches. PVLANs are configured to allow traffic flows to be restricted between ports within the same VLAN. PVLAN configurations can be applied to provide Layer 2 isolation between VLANS.

© 2006 Cisco Systems, Inc. All rights reserved. BCMSN v