Mitigating VLAN Attacks
How to mitigate VLAN hopping

The measures to defend the network from VLAN Hopping are a series of Best Practices for all switch ports and parameters to follow when establishing a trunk port.

  • Configure all unused ports as access ports so that trunking cannot be negotiated across those links
  • Place all unused ports in the shutdown state and associate with a VLAN designed only for unused ports, carrying no user data traffic
  • When establishing a trunk link, purposefully configure:
    • the Native VLAN to be different from any data VLANs
    • trunking as on, rather than negotiated
    • the specific VLAN range to be carried on the trunk