Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-5623 | NET-VLAN-007 | SV-5623r1_rule | ECSC-1 | Medium |
Description |
---|
Double encapsulation can be initiated by an attacker who has access to a switch port belonging to the native VLAN of the trunk port. Knowing the victims MAC address and with the victim attached to a different switch belonging to the same trunk group, thereby requiring the trunk link and frame tagging, the malicious user can begin the attack by sending frames with two sets of tags. The outer tag that will have the attackers VLAN ID (probably the well known and omnipresent VLAN1) is stripped off by the switch, and the inner tag that will have the victims VLAN ID is used by the switch as the next hop and sent out the trunk port. |
STIG | Date |
---|---|
Infrastructure L3 Switch Security Technical Implementation Guide | 2013-10-08 |
Check Text ( C-3769r1_chk ) |
---|
Review the switch configurations and examine all access ports. Verify that the port is not in trunk mode (i.e. for Catalyst using IOS the interface should have the command switchport mode access—not switchport mode trunk or older switches trunk off and not trunk on). A show trunk command can also be used to display all ports in trunk mode. Trace the connections from the physical port with trunk mode. This should be a Gigabit Ethernet or Fast Ethernet connection to another switch or router—it should not be connected to a workstation. |
Fix Text (F-5534r1_fix) |
---|
Disable trunking on all access ports. |