A nice introduction to VLAN Hacking and attack prevention has been posted over at InfoSecInsitute. Some good points have been figured out every network administrator should care about:
A few points for the administrators would be:
- Manage switches in as secure a manner
- The native VLAN ID should not be used for trunking. Always use a dedicated VLAN ID for all trunk ports.
- Set all user ports to non trunking
- Do configure port-security feature in the switch for more protection. (Note: be careful about configuring the port-security feature.)
- Avoid using VLAN 1
- Deploy port-security where possible for user ports
- Enable BPDU Guard for STP attack mitigation
- Use private VLAN where appropriate to further divide L2 networks
- If VTP is used, use MD5 authentication.
- Unused ports can be disabled.