Presentation is loading. Please wait.

Presentation is loading. Please wait.

© 2009 Cisco Systems, Inc. All rights reserved. SWITCH v1.0—7-1 Minimizing Service Loss and Data Theft Protecting Against VLAN Attacks.

Published byDavid Young Modified over 8 years ago

Similar presentations

Presentation on theme: "© 2009 Cisco Systems, Inc. All rights reserved. SWITCH v1.0—7-1 Minimizing Service Loss and Data Theft Protecting Against VLAN Attacks."— Presentation transcript:

1 © 2009 Cisco Systems, Inc. All rights reserved. SWITCH v1.0—7-1 Minimizing Service Loss and Data Theft Protecting Against VLAN Attacks

2 © 2009 Cisco Systems, Inc. All rights reserved. SWITCH v1.0—7-2 Explaining VLAN Hopping  An attacking system spoofs itself as a legitimate trunk negotiating device.  A trunk link is negotiated dynamically.  An attacking device gains access on all VLANs carried by the trunk

3 © 2009 Cisco Systems, Inc. All rights reserved. SWITCH v1.0—7-3 VLAN Hopping with Double Tagging Double tagging allows a frame to be forwarded to a destination VLAN other than the VLAN of the source.

4 © 2009 Cisco Systems, Inc. All rights reserved. SWITCH v1.0—7-4 Mitigating VLAN Hopping Unused ports  Shut down all unused ports.  Configure all unused ports to access mode.  Configure an access VLAN on all unused ports to an unused VLAN.  Configure a native trunk VLAN on all unused ports to an unused VLAN. Trunk ports  Configure a trunk port with trunk mode on, and disable trunk negotiation.  Configure a native trunk VLAN on trunk ports to an unused VLAN.  Configure the allowed VLANs on the trunk ports, and do not allow a native VLAN.

5 © 2009 Cisco Systems, Inc. All rights reserved. SWITCH v1.0—7-5 Types of ACLs

6 © 2009 Cisco Systems, Inc. All rights reserved. SWITCH v1.0—7-6 Configuring VACLs  Create an access list.  Configure an access map.  Create a VLAN filter.  Example: Drop all traffic from network 10.1.9.0/24 on VLAN 10 and 20, and drop all traffic to backup server 0000.1111.4444. switch(config)# access-list 100 permit ip 10.1.9.0 0.0.0.255 any Switch(config)# mac access-list extended BACKUP_SERVER Switch(config-ext-mac)# permit any host 0000.1111.4444 switch(config)# vlan access-map XYZ 10 switch(config-map)# match ip address 100 switch(config-map)# action drop switch(config-map)# vlan access-map XYZ 20 switch(config-map)# match mac address BACKUP_SERVER Switch(config-map)# action drop switch(config-map)# vlan access-map XYZ 30 switch(config-map)# action forward switch(config)# vlan filter XYZ vlan-list 10,20

7 © 2009 Cisco Systems, Inc. All rights reserved. SWITCH v1.0—7-7 Summary  VLAN hopping can allow Layer 2 unauthorized access to another VLAN.  VLAN hopping can be mitigated by: –Properly configuring 802.1Q trunks –Turning off trunk negotiation  Access lists can be applied to VLANs to limit Layer 2 access.  VACLs can be configured on Cisco Catalyst switches.

8 © 2009 Cisco Systems, Inc. All rights reserved. SWITCH v1.0—7-8

Download ppt "© 2009 Cisco Systems, Inc. All rights reserved. SWITCH v1.0—7-1 Minimizing Service Loss and Data Theft Protecting Against VLAN Attacks."

Similar presentations

Mitigating Layer 2 Attacks

Mitigating Layer 2 Attacks
© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 Implement VTP LAN Switching and Wireless – Chapter 4.

© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 Implement VTP LAN Switching and Wireless – Chapter 4.
© 2006 Cisco Systems, Inc. All rights reserved. ICND v2.3—2-1 Extending Switched Networks with Virtual LANs Introducing VLAN Operations.

© 2006 Cisco Systems, Inc. All rights reserved. ICND v2.3—2-1 Extending Switched Networks with Virtual LANs Introducing VLAN Operations.
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 3: VLANs Routing & Switching.

© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 3: VLANs Routing & Switching.
© 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Common Layer 2 Attacks and Countermeasures.

© 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Common Layer 2 Attacks and Countermeasures.
© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicITE I Chapter 6 1 Implement Inter- VLAN Routing LAN Switching and Wireless – Chapter 6.

© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicITE I Chapter 6 1 Implement Inter- VLAN Routing LAN Switching and Wireless – Chapter 6.
CCNPv5 Minimizing Service Loss and Data Theft in a Campus Network 1 Minimizing Service Loss and Data Theft in a Switched BCMSN Module 8 – Sec 2.

CCNPv5 Minimizing Service Loss and Data Theft in a Campus Network 1 Minimizing Service Loss and Data Theft in a Switched BCMSN Module 8 – Sec 2.
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 3: VLANs Routing & Switching.

© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 3: VLANs Routing & Switching.
© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicITE I Chapter 6 1 VLANs LAN Switching and Wireless – Chapter 3.

© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicITE I Chapter 6 1 VLANs LAN Switching and Wireless – Chapter 3.
© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicITE I Chapter 6 1 VLANs LAN Switching and Wireless – Chapter 3.

© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicITE I Chapter 6 1 VLANs LAN Switching and Wireless – Chapter 3.
© 2009 Cisco Systems, Inc. All rights reserved. SWITCH v1.0—7-1 Minimizing Service Loss and Data Theft Protecting Against Spoofing Attacks.

© 2009 Cisco Systems, Inc. All rights reserved. SWITCH v1.0—7-1 Minimizing Service Loss and Data Theft Protecting Against Spoofing Attacks.
1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved.

1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved.
© 2009 Cisco Systems, Inc. All rights reserved. SWITCH v1.0—7-1 Minimizing Service Loss and Data Theft Understanding Switch Security Issues.

© 2009 Cisco Systems, Inc. All rights reserved. SWITCH v1.0—7-1 Minimizing Service Loss and Data Theft Understanding Switch Security Issues.
© 2002, Cisco Systems, Inc. All rights reserved..

© 2002, Cisco Systems, Inc. All rights reserved..
© 2009 Cisco Systems, Inc. All rights reserved. SWITCH v1.0—7-1 Minimizing Service Loss and Data Theft Securing Network Services.

© 2009 Cisco Systems, Inc. All rights reserved. SWITCH v1.0—7-1 Minimizing Service Loss and Data Theft Securing Network Services.
© 2009 Cisco Systems, Inc. All rights reserved. SWITCH v1.0—2-1 Implementing VLANs in Campus Networks Configuring PVLANs.

© 2009 Cisco Systems, Inc. All rights reserved. SWITCH v1.0—2-1 Implementing VLANs in Campus Networks Configuring PVLANs.
CCENT Study Guide Chapter 11 VLANs and Inter-VLAN Routing.

CCENT Study Guide Chapter 11 VLANs and Inter-VLAN Routing.
© 2009 Cisco Systems, Inc. All rights reserved. SWITCH v1.0—2-1 Implementing VLANs in Campus Networks Applying Best Practices for VLAN Topologies.

© 2009 Cisco Systems, Inc. All rights reserved. SWITCH v1.0—2-1 Implementing VLANs in Campus Networks Applying Best Practices for VLAN Topologies.
© 2006 Cisco Systems, Inc. All rights reserved. ICND v2.3—1-1 Configuring Catalyst Switch Operations Introducing Basic Layer 2 Switching and Bridging Functions.

© 2006 Cisco Systems, Inc. All rights reserved. ICND v2.3—1-1 Configuring Catalyst Switch Operations Introducing Basic Layer 2 Switching and Bridging Functions.
Secure LAN Switching Layer 2 security Introduction Port-level controls

Secure LAN Switching Layer 2 security Introduction Port-level controls

Similar presentations

Ads by Google