How to prevent “VLAN hopping” in a server farm.

VLAN hopping occurs when a specially crafted packet is sent by a server in order to bypass VLAN boundaries. There are several ways to prevent this type of hack.

VLAN hopping occurs when a specially crafted packet is sent by a server in order to bypass VLAN boundaries. There are several ways to prevent this type of hack.

VLAN hopping is when a server produces an encapsulated trunking packet that is recognized by the access switch as a control packet to be shared with neighboring (trunked) switches. This is not a typical hack and requires some very detailed packet crafting, but it is at least theoretically possible to use this method to bypass a firewall or access list (ACL).

This type of attack may be prevented in a number of ways: – remove VLAN from trunk participation – change the native (control) VLAN to another VLAN ID – ensure that the server switch access ports are set to “access” mode