VLAN-Based Attacks
VLAN-based attacks include VLAN hopping, in which a station is able to
access a VLAN other than its own. This can be done with switch spoofing or
with 802.1Q double-tagging.
Switch Spoofing
Switch spoofing involves a station configured to negotiate a trunk link
between itself and the switch. By default, switches dynamically negotiate
trunking status using Dynamic Trunking Protocol (DTP). If a computer is
able to use DTP to establish a trunk link to the switch, it will receive all
traffic bound for VLANs allowed on that trunk. By default, all VLANs are
allowed on a trunk.
You can mitigate this by turning off DTP on all ports that should not become
trunks, such as most access ports, using the interface command switchport
nonegotiate. If the port should be an access port, configure it as such with
the interface command switchport mode access. Additionally, shut down all
unused ports and assign them to an unused VLAN. The commands to do this
are:
Switch(config)#interface interface
Switch(config-if)#switchport mode access
Switch(config-if)#switchport access vlan vlan
Switch(config-if)#shutdown