Today’s topic was requested on Twitter, to talk a little bit about how to build Cisco switchport trunks and specifically how to improve their security configurations. We’re going to take a look at how to configure them, what are some security best practices, and Layer 2 attacks that we can mitigate with the right type of configurations.
Switchport Trunking Basics
There are two main types of trunking; there’s ISL which is a Cisco proprietary protocol that’s used for trunking, and there’s 802.1q which is open standard and used across many different types of devices. Twenty years ago we would be talking about ISL. However, we’re not doing that anymore! From this point forward, whenever I’m talking about trunking, I’m talking about 802.1q trunking.
Let’s start with the basics. We know that a VLAN is a logical way to break a network into different types of groups. Whenever you do that, each VLAN is assigned its own number or VLAN tag. What trunking does is allow a device to send multiple types of VLANs over one physical interface. Normally, we’re going to use a trunking interface when you’re connecting two different switches to each other. We also do this if we’re connecting to a gateway (Layer 3 device) and you have multiple VLANs trying to get up to whatever device is going to be doing the routing for each of those VLANs.
When normal VLAN traffic goes over trunk port, the switch applies a 802.1q frame tag. This has the original VLAN ID associated with the VLAN traffic that will be going over the trunk. The switch puts this tag onto the frame and sends it over the trunk interface. Once it gets over to the other side, the switch ends up taking that frame off.
For a trunk to be operational between two switches, there are a few things that we have to do. First, we have to put both of the connected interfaces into either trunk mode or into a dynamic mode (which will allow the port to negotiate to being a trunk if the other end is set to a trunk). In essence, both ends of the connection need to be set as trunks. Secondly, we have to make sure that the native VLAN is set to the same on both sides. What the heck is a native VLAN?!?!? Well, a native VLAN is just whatever VLAN is assigned to untagged traffic. If the switch doesn’t see any type of tag associated with traffic from a port, it tags this traffic with the default native VLAN.
Now we have two interfaces, on separate switches, connected together. Both are set up in switchport trunk mode and we have the same native VLAN assigned on both trunk interfaces. We now have an operational trunk up between two switches; we’ll be able to send traffic back and forth and that’s great! BUT… it’s not secure in the way that we would want it to be when we’re implementing best practices within a LAN environment.
Improving Switchport Trunk Security
So, there are four main trunking security configurations we want to do. First, we want to make sure only interfaces intended to be trunks are enabled to be trunks. As I mentioned before, dynamic ports auto-negotiate to being trunks. We don’t really want any part that. We’re going to statically set interfaces to trunk ports. If it’s not going to be a trunk, we’re going to statically assign it as an access port. This way we leave no ability for somebody to plug in somewhere and automatically have it negotiate to a trunk. This will minimize any type of VLAN-hopping situation happening within the environment.
Secondly, trunks by default allow any VLAN that’s on the switch to go over the trunk interface. That’s not a good thing either! It’s best practice to set a VLAN limit on the trunk interface so that we’re only permitting explicit VLANs over the trunk. If it’s connecting to a switch that doesn’t have certain VLANs on it, there’s no reason to allow unused VLANs on the trunk. So, just be very specific with the particular VLANs that you want to have going across the trunk.
The third thing that we want to do involves something that I mentioned briefly before: the native VLAN. Do you know what the native VLAN by default across any Cisco switch is? If you don’t know, it’s VLAN 1. So, if we leave our unused interfaces all on VLAN 1 and go with whatever the default is with the trunk (not actually set it to something else), something bad can happen. Any device that gets plugged into an unconfigured port is able to send traffic across all our truck interfaces.
So again, a very easy configuration is creating a unique VLAN that isn’t going to be used for anything. We assign that as our native VLAN on both sides of your trunk interfaces. Nobody will be able to plug into a port that’s accidentally configured for that native VLAN because it’s going to be a VLAN that isn’t used for anything. Then, we’ll be able to limit that type of attack.
The fourth step takes the third a little bit further. We shouldn’t have VLAN 1 being used for anything in our environment! We need to go through and make sure it’s not used for anything operational. On top of that, we want to make sure it’s not left as default on all of our unused ports. I recommend we create another VLAN that we’re going to use as a dead VLAN (what we put unused ports into).
We’re also going to make sure that we don’t allow that VLAN across the trunks. This is going to make things a bit more secure and locked down to that individual switch. So, let’s have this as our default configuration for any of your unused ports, put it in a dead VLAN, and make sure to shut the port down. This will make it a lot harder for somebody to just come and plug something into a wall socket, and then automatically have an active connection on our switch ports.
The Wrap Up
At this point, if you’re interested in seeing what this actually looks like from an implementation and configuration standpoint, take a look at the video up top. I used Cisco Packet Tracer which is a cool free tool from Cisco that allows you to go through different types of configurations. I walked through how we’d go about setting up a trunk interface between two switches, and then show you the specific configurations that I mention on this blog as best practices for configuring trunks in a secure manner.
The main thing we’re trying to protect against in these configurations is VLAN-hopping techniques. These types of attacks could likely happen if you don’t do basic network security configuration. Obviously, whoever is trying to attack our networks is also going to do the easiest things, so we might as well not make it completely easy for them.
Find out more about J.B.C.’s CyberInSight® blog here.