How to prevent VLAN Hopping in Cisco Switches

A malicious user can easily gain access to data on another VLAN to which he is not authorised to access using VLAN hopping. A VLAN Hoping attack can be launched by using a Switch Spoofing or Double Tagging of 802.1q trunking protocol. To have a quick insight into VLAN Hopping, click here.

You can prevent VLAN Hopping in Cisco Switches as follows:

1. Prevent VLAN Hopping attacks using Switch Spoofing

In this form of VLAN Hopping attack, the simplest solution would be to disable "Dynamic Trunking Protocol (DTP)" on all untrusted ports, mostly imporantly on the access switches where end users connect their devices and gain access to network.

This can be done by

ciscoswitch# conf t

ciscoswitc(config)# int gi1/10

ciscoswitch(config-if)# switchport nonegotiate

In the above, the "switchport nonegotiate" command on interface "gi1/10" disable the DTP. So, the switchport will not negotiate trunking on the link.

An even more better option would be to explicitly coonfigure the port as a access port by which eliminates any fears of trunking on the port (assuming you are aware of the fact that there isn't going to be a need for that port to act as a trunking port)

ciscoswitch(config-if)# switchport mode access

This disables trunking and DTP on the port and marks it as an access port only.

2. Prevent VLAN Hopping attacks using Double Encapsulation (Double Tagging)

Use a isolated VLAN as a native VLAN for the trunks which is used for tunnel traffic only and not for any other traffic as the trunk port strips the VLAN tag and passes it as untagged traffic.