Cisco provided a review of switch security issues (VLAN Security White paper). Our goals are to aggregate this information with the ICAT database information, as well as references listed below, and evaluate the information in the context of constructing a contained experimental network.

• CAN-1999-1129
  Summary: Cisco Catalyst 2900 Virtual LAN (VLAN) switches allow remote attackers to inject 802.1q frames into another VLAN by forging the VLAN identifier in the trunking tag.
  
• CVE-2001-0429
  Summary: Cisco Catalyst 5000 series switches 6.1(2) and earlier will forward an 802.1x frame on a Spanning Tree Protocol (STP) blocked port, which causes a network storm and a denial of service.
  
• Many vulnerabilities
  related to making an administration interface available from the network using an IP address, by either providing telnet, ssh or web access. By using the console (serial port) to configure the switch and disabling all other administrative interfaces, this class of vulnerabilities is not exploitable. The containment of security experiments is more trustworthy if all the switch's ports are experimental ports, and no port connects to the outside world.

Documented attacks:

• Overflow of CAM tables (a.k.a. "MAC flooding attack"). "Packet flooding however is constrained within the VLAN of origin, therefore no VLAN hopping is permitted" (Cisco). However, perhaps it causes all VLANs to flood packets; in this case an experiment could interfere with other experiments. The "Port security" setting prevents this. Shutting down the port if an attack is in progress is not an acceptable solution for an experimental network. We can either put a limit of learning N MAC addresses per port or set the MAC addresses for each port statically for maximum security. Convery [Con01] warns that the "restrict" option (what does he mean by that?) may fail under macof load (where macof is the CAM overflow tool written by Ian Vitek). We decided to divide the size of the CAM table by the number of interfaces and set that as the maximum number of learned MAC addresses under port security. As we disabled SNMP, we hope that the conditions reported by Convery won't materialize. This needs to be tested further.
  
• DTP: Dynamic Trunking protocol. "If a switch port were configured as DTP auto and were to receive a fake DTP packet, it might become a trunk port and it might start accepting traffic destined for any VLAN" (Cisco). Since we won't use trunking DTP can be disabled. Auto-trunking should be turned off and verified that it is off.
  
• Misconfiguration of trunk ports. As 48-port switches are available, we do not need trunking and it should be off on all ports (see DTP).
• Using VLAN 1. A most convincing explanation of why not to use VLAN 1 for anything is provided in [Con01]. Apparently VLAN 1 can't be deleted and continues to carry some control protocols no matter what settings are. It has been recommended to shut it down ([Gil02]). Upon configuring a Cisco switch, I noticed that VLAN 1 has its own virtual MAC address and can have its own IP address (e.g., when selected as the management interface)! If an attacker knows the MAC address of VLAN 1, what can they do (even if there is no IP address associated with it)?
• Native VLAN: by default VLAN 1, and all ports belong to VLAN 1 by default. Native VLAN frames are not tagged, and untagged frames are assumed to belong to the native VLAN. This VLAN can receive and process both tagged and untagged frames. This allowed the VLAN hopping attack described in [Tay00], which required the source and destination to be on different switches (a.k.a. double encapsulated attacks). This works only if the trunk has the same native VLAN as the attacker. By using a single 48-port switch for the experimental network, there are no trunks and the attack can't be launched. In addition, the native VLAN won't be used for any ports.
• Misconfiguration of the Management VLAN. The usual configuration problem is to use VLAN 1, which is also the default VLAN and native VLAN, which means that by default new connections have access to the management interfaces. We will manage the switch out-of-band so the management VLAN should be disabled or set to an unexisting VAN.
• STP: Spanning Tree protocol. Used to prevent loops in redundant level 2 architecture, and is a risk for DoS. Not needed here, should be off (no risk of loop as there is no redundancy).
• VTP: VLAN Trunking Protocol. Not needed, no trunking.
• CDP, VMPS, VQP... Disabled!
• Private VLAN attacks through routers: no routers here, no private VLANs.
• SNMP: not needed, turn off.

References
[Con01] Convery S (2002) Hacking Layer 2: Fun with Ethernet Switches.
[Tay00] Taylor D (2000) Are there vulnerabilities in VLAN implementations? VLAN security test report. SANS
[Gil02] Gill S (2002) Catalyst Secure Template Version 1.21