newer Catalysts do not offer the ISL trunk mode anymore. Now I fear VLAN-hopping/encapsulation attacks when using VLANs for WAN-isolation.
- What can I do to prevent such attacks?
- Can I mix ISL and 802.1Q trunk connections?
- Anything else I have to consider?
Thanks
edit:
Is VLAN-hopping possible if all hosts are connected to "Static Access"-configured switchports and the 802.1Q-trunks are only between the Cisco switches?
You should be relatively safe by using the following configuration on host facing interfaces:
This will disable DTP (dynamic trunking protocol) on the port and help prevent VLAN hopping attacks.
Also, it is a good practice to enumerate the allowed VLANs on your trunk interfaces with the following configuration:
A good reference for layer 2 security best practices can be found here:
SAFE LAYER 2 SECURITY IN-DEPTH — VERSION 2 (PDF)
If a switch port is forced to ACCESS mode (
switchport nonegotiate,switchport mode access)and assigned to a specific VLAN (switchport access vlan X), this is a completely safe setup; should the connected host(s) send any tagged frame, it would be discarded because no trunking would be possible on that port.If trunking is only used between the switches and you have good physical security, there is no way for any computer to access any VLAN other than its own.
After quite some research I've found the answer:
http://www.sans.org/security-resources/idfaq/vlan.php
Thus I have to make sure that the access-mode VLANs are not using the native VLAN configured on the trunk: