cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
drjarmon
New Contributor III

VLAN hopping remediation

Jump to solution

Looking to put controls in place to help prevent VLAN hopping.  Reference article below provides support example for c-class switches.  Looking for guidance with Adtran switching.

  • Moving devices off VLAN 1
  • Setting port to edge mode for end nodes
  • Creating an unused default VLAN for trunks

VLAN hopping - Wikipedia, the free encyclopedia 

Am I missing anything?

Thanks

Don

Labels (1)
0 Kudos
1 Solution

Accepted Solutions
Anonymous
Not applicable

Re: VLAN hopping remediation

Jump to solution

- Thanks for posting your question on the forum!

It sounds like VLAN hopping exploits trunk links to access the network.

I want to mention a couple of points about AOS that are already in place: first, by default, all ports on a switch are set as access ports for VLAN 1. Another thing is that AOS trunks only support 802.1q trunking protocol so it does not have the ability to negotiate its trunking protocol. Some of the mitigation practices mentioned in the article can be implemented on an AOS switch, as well.


For the most part, you should:

- Set ports to access mode only if necessary

- Restrict trunks to only those vlans that need to use the link

- Change the native vlan on a trunk to an unused vlan ID

I hope this helps but please let us know if you have any questions,

Thanks,

Noor

View solution in original post

1 Reply
Anonymous
Not applicable

Re: VLAN hopping remediation

Jump to solution

- Thanks for posting your question on the forum!

It sounds like VLAN hopping exploits trunk links to access the network.

I want to mention a couple of points about AOS that are already in place: first, by default, all ports on a switch are set as access ports for VLAN 1. Another thing is that AOS trunks only support 802.1q trunking protocol so it does not have the ability to negotiate its trunking protocol. Some of the mitigation practices mentioned in the article can be implemented on an AOS switch, as well.


For the most part, you should:

- Set ports to access mode only if necessary

- Restrict trunks to only those vlans that need to use the link

- Change the native vlan on a trunk to an unused vlan ID

I hope this helps but please let us know if you have any questions,

Thanks,

Noor