Common VLAN attack methods and how to avoid them

It is very simple and straightforward to configure three or more switches to support a virtual LAN and a network partition. However, ensuring that a virtual private network can withstand attacks is totally different! To ensure the security of a virtual LAN, You Need To Know What attacks you want to protect it against. The following are several common methods to attack a virtual LAN, how you fight against these attacks, and how to reduce attack losses in some situations.

Virtual LAN jump attack

The basic method of Virtual LAN jump attack hopping attack is based on the dynamic relay protocol. In some cases, it is also based on the relay encapsulation protocol trunking encapsulation protocol or 802.1q. The dynamic relay protocol is used to negotiate the relay on the link between two switches or devices and the type of the relay encapsulation to be used.

The relay negotiation function can be enabled on the Switch interface. You can enter the following command at the interface level: Switch (config-if) # switchport mode dynamic.

Although this setting makes it easier to configure a vswitch, it hides a serious risk in your virtual LAN. A site can easily prove that it is using an 802.1q-encapsulated switch, thus creating a relay link and becoming a member of all Virtual LAN.

Thanks to Cisco's latest IOS operating system, this security vulnerability has been fixed. To avoid possible Virtual LAN jump attacks, do not use the "dynamic" mode at the interface level, and set the network to "relay" or "access" type.

Address Resolution Protocol attack

Address parsing protocol attacks are common in the hacker field. Existing tools can bypass the security functions of vswitches. A vswitch can create a virtual communication channel between two nodes and prohibit others from "eavesdropping" on their conversations.

In address resolution attacks, intruders obtain IP addresses and other statistics about the networks they want to attack, and then use the information to launch attacks. Intruders send a large number of Address Resolution broadcasts to the network switch, telling the switch that all IP addresses or some IP addresses belong to the switch, so that when the intruders perform data reconnaissance, forces the switch to send all data packets and conversation data to him.

You can run the "Port Security" command on a high-end Catalyst Switch to avoid this problem. These switch models include 4000, 4500, 5000, and 6500 series switches.

Once the "Port Security" function is enabled on the port, you can specify the number of MAC addresses or specify the allowed MAC addresses to connect through this port.

The command to enable this security function is: Switch (config) # set port security port enable

Static address resolution protocols should be used for important routers, servers, and other hosts.

Finally, the intrusion detection system can track and report the Address Resolution Protocol broadcast that causes such attacks.

Virtual LAN relay protocol attack

Virtual LAN relay protocol (VTP) is a Cisco proprietary protocol designed to make life easier by automatically spreading Virtual LAN information to switches across the network.

The setting of the virtual LAN relay protocol includes a vtp server and a switch responsible for transmitting all the information about the virtual LAN. Except for this vtp server switch, all vswitches must be set as client switches to listen to any statements about changes to the virtual LAN issued by The vtp server.

A VTP attack includes a site that sends VTP information to the network, and broadcast on the network without a virtual LAN. Therefore, all client VTP switches Delete the information library of their valid Virtual LAN.

If a vswitch accesses a network and the network is configured as a vtp server and The VTP configuration version is later than the existing vtp server, this attack may occur. In this case, all vswitches overwrite the valid information obtained by the "new" vtp server.

Fortunately, there are many ways to protect the virtual LAN from this situation. You can disable VTP for a large network with more than five vswitches, or use MD5 verification for all VTP information to ensure that the client switch does not process VTP information, if the password contained in the information is incorrect.

The command to set a VTP password for your VTP domain name is:

Switch#vlan database Switch(vlan)# vtp domain password Switch(vlan)#apply Switch(vlan)#exit

1. Deploy a virtual LAN to purchase VLAN Switches
2. Fluke Networks: Virtual lan vlan) Management