Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3342
Views
0
Helpful
11
Replies

Voice VLAN hopping : Hown to mitigate ?

Driss BENATTOU
Level 4
Level 4

‎11-20-2012 04:04 AM - edited ‎03-10-2019 07:48 PM

Hi,

I want your help to advise how to mitigate to voice vlan hopping attack.

First Scenario :

PC behind IP Phone : the PC will send 802.1q tag including VID of Voice VLAN. Then, the PC will get IP Address automatically from voice vlan subnet.

Solution : this attack can be mitigated by dropping 802.1q trafic from PC port. It's done at CUCM level.

Second Scenario :

The attacker connects directly to port instead of IP Phone. When he send 802.1q tag including VVID, he will retrieve IP Address from voice vlan subnet.

Solution : ????

Regards

Driss

Labels:
0 Helpful
11 Replies 11

nspasov
Cisco Employee
Cisco Employee

‎11-20-2012 07:05 AM

You can configure 802.1x on your access ports and with the help with a AAA solution such as Cisco ISE you can deny/authorize different devices on different VLANs, apply dynamic ACLs, blackhole devices, etc. For example, you can have an authorization policy where it will only authorize devices on the voice vlan if they pass EAP-TLS certificate authentication and/or dynamic profiling while sending everything else to different vlans (Data, guest, etc)

You can potentially also use macros/smart ports where a port will automatically be assigned to a "Blackhole" vlan as soon as the IP phone gets disconnected. This will prevent users/attackers from bypassing your phone/phone security

Thank you for rating!

0 Helpful

Driss BENATTOU
Level 4
Level 4
In response to nspasov

‎11-20-2012 08:18 AM

Thank you for your answer.

should I use the smart port option in combination with 802.1X or can I use it without ?

Regards

Driss

0 Helpful

nspasov
Cisco Employee
Cisco Employee
In response to Driss BENATTOU

‎11-20-2012 09:53 AM

Hello Driss-

That would be up to you. You can use either one or the combination of the two. Using both of them will add more security to your network but it could also require more admin overheard if phones get moved around often.

Thank you for rating helpful posts!

0 Helpful

Driss BENATTOU
Level 4
Level 4
In response to nspasov

‎11-20-2012 09:59 AM

Hello Neno,

I want to mean if smart port option will be enough for my situation, without depending on other hardware & software prerequisities ?

Regards

Driss

0 Helpful

nspasov
Cisco Employee
Cisco Employee
In response to Driss BENATTOU

‎11-20-2012 11:06 AM

Yes, you can use smartports without the need of an external device/solution. You can reference the document in the link below to see the different scenarios and guidelines:

http://www.cisco.com/en/US/docs/switches/lan/auto_smartports/12.2_55_se/configuration/guide/configure.html#wp1064388

Thank you for rating helpful posts!

0 Helpful

Driss BENATTOU
Level 4
Level 4
In response to nspasov

‎11-21-2012 05:02 PM

Hi,

I tried the configuration but with no positive result.

I have not control to block 802.1q tag issued from PC (Vlan hopping)

Any idea ?

Thanks

Driss

0 Helpful

nspasov
Cisco Employee
Cisco Employee
In response to Driss BENATTOU

‎11-21-2012 05:10 PM

Can you elaborate on which solution you tried and exactly what results you got? Also, perhaps post some configs too for evaluation...

0 Helpful

Driss BENATTOU
Level 4
Level 4
In response to nspasov

‎11-24-2012 08:00 AM

Hi,

I use auto smartport option.

the configuration applied is below : 




Switch(config)# macro auto global processing

Switch(config)# macro auto execute CISCO_PHONE_EVENT builtin CISCO_PHONE_AUTO_SMARTPORT  ACCESS_VLAN=32 VOICE_VLAN=132



Switch(config-if)# macro auto global processing
Switch(config-if)# macro auto control device phone 
Switch(config-if)# macro auto control detection cdp
Switch(config-if)# macro auto control trigger



When i plug PC behind IP  phone and I tag NIC Card with VLAN ID corresponding to VVLAN, then I receive ip address from voice subnet range.

Regards
Driss
0 Helpful

nspasov
Cisco Employee
Cisco Employee
In response to Driss BENATTOU

‎11-25-2012 09:21 AM

Hi Driss-

I thought that you can mitigate that issue by controlling the voice vlan tagging at CUCM level? The goal of the auto smart port is to shutdown/place the port into a dead VLAN once a phone is disconnected.

0 Helpful

Driss BENATTOU
Level 4
Level 4
In response to nspasov

‎11-26-2012 07:50 AM

Hi,

At CUCM Level, i can block incoming tagged trafic. But, for PC connecting directly to network by bypassing the ip phone, I can't do it.

Driss

0 Helpful

nspasov
Cisco Employee
Cisco Employee
In response to Driss BENATTOU

‎12-16-2012 06:40 PM

Sorry Driss I fell on some of the discussions here as I got really busy. I have a quick question for you: Were you able to get the autosmart ports to work properly? If so then once the phone is disconnected from the switch, the switch should remove all relevant "VOICE" configuration. You can potentially write a script to force shutdown the port once the phone is disconnected from the port. All of this should along with the CUCM changes should provide you with enough security to block a malicious user from VLAN hopping.

Thank you for rating!

0 Helpful
Customers Also Viewed These Support Documents