VLAN Hopping

VLAN Hopping

VLAN hopping is a critical security vulnerability that allows attackers to bypass VLAN segmentation by sending traffic to VLANs they shouldn’t have access to. This attack exploits misconfigurations in switch trunk ports and can compromise network isolation (the primary purpose of VLANs).

Attack Methods

  • Switch Spoofing: Attacker configures their device to mimic a switch by sending Dynamic Trunking Protocol (DTP) frames

    • Exploits auto-negotiation on switch ports configured as dynamic auto or dynamic desirable
    • Once trunk is established, attacker gains access to all VLANs on that trunk
    • For example, plugging a device into a conference room jack that auto-negotiates to trunk mode

  • Double Tagging: Attacker sends frames with two 802.1Q tags to reach target VLAN

    • Outer tag matches native VLAN (untagged traffic on trunk)
    • Inner tag specifies target VLAN where attack traffic should land
    • Works because first switch strips outer tag, second switch processes inner tag
    • Limited to attacking VLANs on switches downstream from attacker’s location

Technical Mechanics

Attack Type Requirements Scope Detection Difficulty
Switch Spoofing DTP enabled, auto-negotiation All VLANs on trunk Moderate
Double Tagging Native VLAN access, 802.1Q trunks Downstream VLANs only High

Vulnerability Conditions

  • DTP Auto-Negotiation: Ports configured as switchport mode dynamic auto/desirable

    • These modes automatically form trunks when DTP frames are received
    • Default behavior on many Cisco switches (major security risk)
    • Attacker sends DTP Desirable frames to trigger trunk formation

  • Native VLAN Misconfiguration: Using VLAN 1 or predictable native VLANs

    • Native VLAN traffic travels untagged across trunk links
    • Double tagging attacks require access to native VLAN first
    • Default native VLAN 1 is commonly known and targeted

Prevention Strategies

Configure all access ports explicitly - Never rely on auto-negotiation for security

  • Disable DTP: Use switchport mode access on all end-user ports

    • Prevents automatic trunk formation regardless of received DTP frames
    • Use switchport nonegotiate to completely disable DTP on the interface

  • Secure Trunk Configuration:

    • Set trunk mode explicitly: switchport mode trunk
    • Change native VLAN: switchport trunk native vlan [unused-vlan]
    • Use unused VLAN (like VLAN 999) as native to isolate untagged traffic
    • Prune unnecessary VLANs: switchport trunk allowed vlan [specific-vlans]

  • Port Security: Implement additional access controls

    • MAC address filtering on access ports
    • 802.1X authentication for dynamic VLAN assignment
    • Shutdown unused ports (defense in depth approach)

Vocabulary

  • Native VLAN: VLAN that carries untagged traffic on 802.1Q trunk links
  • DTP (Dynamic Trunking Protocol): Cisco proprietary protocol for automatic trunk negotiation
  • 802.1Q: IEEE standard for VLAN tagging using 4-byte tag in Ethernet frame
  • Trunk Port: Switch port carrying traffic for multiple VLANs using tags
  • Access Port: Switch port belonging to single VLAN, sends/receives untagged frames

Notes

  • Most VLAN hopping attacks succeed due to default switch configurations - always harden switches before deployment
  • Double tagging attacks are unidirectional (attacker can send but not receive responses directly)
  • Modern network monitoring tools can detect unusual trunk formations and double-tagged frames
  • In high-security environments, consider using separate physical switches instead of VLANs for critical isolation
  • Remember: VLANs provide segmentation, not security - always implement proper access controls and monitoring
  • VLAN hopping is particularly dangerous in flat network designs where VLANs are the primary security boundary