Are Cisco switches vulnerable to VLAN hopping? We use Layer 2+ and Layer 3 switches in a hardened environment. They are IE-3000 and IE-4000 series switches.
We want to perform a vulnerability scan at many levels, but we are concerned mainly about VLAN hopping since each VLAN should be seriously separated from each other.
TLDR; Prevention:
Don't allow ports to negotiate trunk with any device that asks for it.
Don't put hosts in the native VLAN
I have done demonstrations in the past on Vlan Hopping and this usually comes down to configuration of the devices and the series of switches.
For example, in Cisco's Catalyst family of switches, DTP is set to 'desirable' by default, meaning that it is willing to trunk and all you have to do is tell that port that you want to trunk and it will create that trunk link and negotiate the encapsulation protocol (Usually 802.1Q). I demonstrated this using a tool called Yersinia.
Some families of Cisco devices don't even use DTP at all and use a different process and/or protocol for negotiation of a trunk link.
Another variable that has to come together for this attack to happen is the use of the Native VLAN.
An easy way to prevent such attack is to not place any hosts in the Native VLAN and/or set DTP mode to nonegotiate.
Overall, you'll have to see if the IE series uses DTP. If it doesn't but uses something similar then make sure your ports will not auto trunk with any device that asks for it. This would essentially prevent a rogue device from trunking and sending double encapsulated packets which also needs to make use of the Native VLAN.
To say your devices are vulnerable or not is hard without seeing the configuration but the above methods with help prevent the attack from succeeding.
