The IAS/NSO will ensure that the native VLAN is assigned to a VLAN ID other than the default VLAN for all 802.1q trunk links.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-5622	NET-VLAN-008	SV-5622r1_rule	ECSC-1	Medium

Description
VLAN hopping can be initiated by an attacker who has access to a switch port belonging to the same VLAN as the native VLAN of the trunk link connecting to another switch in which the victim is connected to. If the attacker knows the victim’s MAC address, it can forge a frame with two 802.1q tags and a layer 2 header with the destination address of the victim. Since the frame will ingress the switch from a port belonging to its native VLAN, the trunk port connecting to victim’s switch will simply remove the outer tag because native VLAN traffic is to be untagged. The switch will forward the frame unto the trunk link unaware of the inner tag with a VLAN ID for which the victim’s switchport is a member of.

Description

VLAN hopping can be initiated by an attacker who has access to a switch port belonging to the same VLAN as the native VLAN of the trunk link connecting to another switch in which the victim is connected to. If the attacker knows the victim’s MAC address, it can forge a frame with two 802.1q tags and a layer 2 header with the destination address of the victim. Since the frame will ingress the switch from a port belonging to its native VLAN, the trunk port connecting to victim’s switch will simply remove the outer tag because native VLAN traffic is to be untagged. The switch will forward the frame unto the trunk link unaware of the inner tag with a VLAN ID for which the victim’s switchport is a member of.

STIG	Date
Infrastructure L3 Switch Secure Technical Implementation Guide - Cisco	2013-10-08

Details

Check Text ( C-3770r1_chk )
Review the switch configurations and examine all trunk links. Verify the native VLAN has been configured to a VLAN other than the default VLAN 1. Following is an example of assigning a trunk port to a VLAN: Review the switch configurations and examine all trunk links. Verify that the native VLAN has been configured to a VLAN other than the default VLAN 1. Following is an example of defining the native VLAN for a trunk port: interface FastEthernet0/23 description Trunk Port no ip address no cdp enable switchport trunk encapsulation dot1q switchport mode trunk switchport trunk native vlan 55 no shutdown A show vlan command can also be used to verify what VLAN the trunked ports are assigned to. An alterative to configuring a dedicated native VLAN is to ensure that all native VLAN traffic is tagged. This will mitigate the risk of VLAN hopping since there will always be an outer tag for native traffic as it traverses an 802.1q trunk link. For CatOS, the switch can be configured with the dot1q-all-tagged global command. Introduced with IOS release 12.2(25), the global command vlan dot1q tag native can be used.

Check Text ( C-3770r1_chk )

Review the switch configurations and examine all trunk links. Verify the native VLAN has been configured to a VLAN other than the default VLAN 1. Following is an example of assigning a trunk port to a VLAN:

Review the switch configurations and examine all trunk links. Verify that the native VLAN has been configured to a VLAN other than the default VLAN 1. Following is an example of defining the native VLAN for a trunk port:

interface FastEthernet0/23
description Trunk Port
no ip address
no cdp enable
switchport trunk encapsulation dot1q
switchport mode trunk
switchport trunk native vlan 55
no shutdown

A show vlan command can also be used to verify what VLAN the trunked ports are assigned to.

An alterative to configuring a dedicated native VLAN is to ensure that all native VLAN traffic is tagged. This will mitigate the risk of VLAN hopping since there will always be an outer tag for native traffic as it traverses an 802.1q trunk link. For CatOS, the switch can be configured with the dot1q-all-tagged global command. Introduced with IOS release 12.2(25), the global command vlan dot1q tag native can be used.

Fix Text (F-5533r1_fix)
To ensure the integrity of the trunk link and prevent unauthorized access, the native VLAN of the trunk port should be changed from the default VLAN1 to its own unique VLAN. The native VLAN must be the same on both ends of the trunk link; otherwise traffic could accidently leak between broadcast domains.