VLAN hopping attacks exploit default switch behavior to allow an attacker to bypass VLAN segmentation and gain unauthorized access to traffic on other VLANs. Understanding these attacks and their prevention is critical for the CCNA 200-301 exam (Objective 5.2: Security Fundamentals) and for securing real enterprise networks. This chapter dives deep into the mechanics of VLAN hopping, the two primary attack methods (switch spoofing and double tagging), and the Cisco IOS configurations that mitigate them.
Jump to a section
Imagine a hotel where each floor is a different VLAN, and the elevator is a trunk link. Guests (frames) use keycards (VLAN tags) to access their floor. In a switch spoofing attack, a malicious guest on floor 2 pretends to be hotel staff by flashing a master keycard (DTP dynamic desirable mode) and convinces the elevator to treat them as a trunk link. Once the elevator believes the guest is staff, it allows them to access any floor by simply pressing the button (tagging frames with any VLAN ID). In a double tagging attack, the guest exploits the fact that the elevator only reads the outermost keycard (tag). They place two keycards in their pocket: an outer card for floor 2 (the native VLAN) and an inner card for floor 10 (the target VLAN). The elevator sees the outer card, assumes it belongs to floor 2, and sends the guest to that floor. Once there, the floor security (the second switch) removes the outer card and reads the inner card, granting access to floor 10. The hotel's mistake? They allowed the elevator to accept any keycard without verifying the guest's identity (no port security) and they used the same keycard for both staff and guests (native VLAN on trunk). To fix this, the hotel now requires staff to use a separate, secure elevator (dedicated trunk ports) and shreds the outer keycard upon entry (native VLAN tagging).
What is VLAN Hopping?
VLAN hopping is a network attack where an attacker gains access to traffic on VLANs other than their own by exploiting the default behavior of switch trunking protocols. The two primary methods are switch spoofing and double tagging. Both rely on misconfigured or default switch ports that allow unauthorized trunk negotiation or improper handling of 802.1Q tags.
Switch Spoofing Attack
In switch spoofing, the attacker's device imitates a switch by sending Dynamic Trunking Protocol (DTP) messages. DTP is a Cisco proprietary protocol that automatically negotiates trunk links between switches. By default, many Cisco switch ports are in dynamic desirable or dynamic auto mode, which means they will respond to DTP requests and form a trunk. An attacker connected to such a port can send DTP packets to put the port into trunking mode. Once the port becomes a trunk, the attacker can send frames tagged with any VLAN ID (1-4094) and receive traffic from all VLANs that traverse that trunk. This completely bypasses VLAN segmentation.
Double Tagging Attack
Double tagging is a more sophisticated attack that works even when trunk ports are manually configured and DTP is disabled. The attacker must be on a switch that uses the same native VLAN as the trunk link between switches. In 802.1Q, frames on the native VLAN are sent untagged on a trunk. The attacker crafts a frame with two 802.1Q tags: the outer tag matches the native VLAN of the trunk, and the inner tag is the target VLAN. When the first switch receives the frame, it strips the outer tag (because it is on the native VLAN) and forwards the frame out the trunk port. The second switch sees the inner tag and forwards the frame to the target VLAN. The attacker can then sniff traffic or launch further attacks on that VLAN. Double tagging is a unidirectional attack—the attacker can send frames to the target VLAN but cannot receive responses unless they also manipulate the return path.
Prevention Mechanisms
Cisco provides several methods to prevent VLAN hopping:
Disable DTP on all access ports: Use switchport mode access on ports that connect to end devices. This prevents the port from becoming a trunk, even if the attacker sends DTP packets.
Set the native VLAN to an unused VLAN: Change the native VLAN on trunk ports from the default VLAN 1 to a VLAN that is not used for any user traffic. This prevents double tagging attacks because the attacker would need to guess the native VLAN.
Enable native VLAN tagging: Use vlan dot1q tag native on the switch to force all frames, including native VLAN frames, to be tagged on trunk ports. This eliminates the untagged traffic that double tagging exploits.
Use dedicated trunk ports: Manually configure trunk ports with switchport mode trunk and never rely on DTP negotiation.
Implement Port Security: While not directly preventing VLAN hopping, port security can limit the number of MAC addresses and prevent unauthorized devices from connecting.
Verification Commands
To verify the trunking status and native VLAN on a Cisco switch:
Switch# show interfaces trunk
Port Mode Encapsulation Status Native vlan
Gi0/1 on 802.1q trunking 99
Port Vlans allowed on trunk
Gi0/1 1-1005
Port Vlans allowed and active in management domain
Gi0/1 1,10,20,99
Port Vlans in spanning tree forwarding state and not pruned
Gi0/1 1,10,20,99To check the DTP mode of an interface:
Switch# show interfaces gigabitethernet 0/1 switchport
Name: Gi0/1
Switchport: Enabled
Administrative Mode: trunk
Operational Mode: trunk
Administrative Trunking Encapsulation: dot1q
Operational Trunking Encapsulation: dot1q
Negotiation of Trunking: On
Access Mode VLAN: 1 (default)
Trunking Native Mode VLAN: 99 (Inactive)
...To verify native VLAN tagging:
Switch# show running-config | include dot1q
vlan dot1q tag nativeInteraction with VLAN Trunking Protocol (VTP)
VTP (VLAN Trunking Protocol) is used to synchronize VLAN databases across switches. While VTP itself is not a direct cause of VLAN hopping, misconfigured VTP domains can make it easier for an attacker to propagate rogue VLANs. It is best practice to set VTP to transparent mode or disable it on all switches to prevent unauthorized VLAN changes.
Identify All Switch Ports
Begin by identifying every switch port that connects to an end device (PC, printer, IP phone). These ports should never be trunk ports. Use `show interfaces status` or `show interfaces switchport` to see the current mode. Look for ports that are in 'dynamic desirable' or 'dynamic auto' mode—these are vulnerable to switch spoofing. Also check if any trunk ports have the default native VLAN (VLAN 1).
Configure Access Ports Manually
For each port that connects to an end device, configure it as a static access port using the following commands: ``` interface GigabitEthernet0/2 switchport mode access ``` This disables DTP negotiation on that port, preventing an attacker from forming a trunk. The port will only forward frames for a single VLAN (the default access VLAN, usually VLAN 1 unless changed). This is the most critical step in preventing switch spoofing attacks.
Change Native VLAN on Trunks
On trunk ports, change the native VLAN from the default VLAN 1 to an unused VLAN (e.g., VLAN 999). This prevents double tagging attacks because the attacker would need to know the native VLAN to craft a valid double-tagged frame. Use the following configuration: ``` interface GigabitEthernet0/1 switchport trunk native vlan 999 ``` Ensure that VLAN 999 exists on all switches in the path and is not used for any user traffic.
Enable Native VLAN Tagging
To further protect against double tagging, enable native VLAN tagging globally on the switch. This forces all frames on the native VLAN to be sent with an 802.1Q tag, eliminating untagged frames. Use the command: ``` vlan dot1q tag native ``` This command is executed in global configuration mode. After this, even native VLAN frames are tagged, so an attacker cannot exploit the untagged nature of native VLAN traffic. Note: This requires all devices on the trunk to support 802.1Q tagging for the native VLAN.
Disable DTP Globally (Optional)
While not strictly necessary if all ports are manually configured, you can disable DTP globally on the switch to prevent any DTP negotiation. This is done by setting all interfaces to either access or trunk mode. There is no single 'no dtp' command; instead, you must ensure no interface is in dynamic mode. Alternatively, on some platforms, you can use `switchport nonegotiate` on trunk ports to suppress DTP frames. Example: ``` interface GigabitEthernet0/1 switchport nonegotiate ``` This command stops the interface from sending DTP frames but does not prevent it from responding to DTP if it is in dynamic mode. Therefore, it is best used on manually configured trunk ports.
Verify Configuration
After making changes, verify the configuration using `show interfaces trunk` and `show interfaces switchport`. Ensure that trunk ports show the correct native VLAN and that access ports show 'Operational Mode: static access'. Also verify that DTP negotiation is off on access ports by checking that 'Negotiation of Trunking' is 'Off' for access ports. Example: ``` Switch# show interfaces gigabitethernet 0/2 switchport | include Negotiation Negotiation of Trunking: Off ``` If you enabled native VLAN tagging, confirm with `show running-config | include dot1q`.
In a typical enterprise campus network, VLAN hopping attacks are a serious concern because they undermine the entire VLAN segmentation strategy. For example, consider a financial institution with a guest Wi-Fi VLAN (VLAN 10) and a sensitive financial database VLAN (VLAN 100). If an attacker on the guest VLAN can perform switch spoofing, they can trunk to the switch and access VLAN 100 directly. To prevent this, network engineers follow a strict port hardening policy:
Access ports: Every port connecting to a user device is hard-set to switchport mode access. This is enforced through automated configuration management tools like Ansible or Python scripts that scan for any dynamic mode ports and flag them.
Trunk ports: All inter-switch links are manually configured as trunks with switchport mode trunk and switchport nonegotiate. The native VLAN is changed to an unused VLAN (e.g., VLAN 999) on every trunk. Additionally, native VLAN tagging is enabled globally to eliminate untagged frames.
DTP disabled: DTP is effectively disabled by never using dynamic modes. Some organizations also disable DTP globally by configuring all ports statically.
A common misconfiguration is forgetting to change the native VLAN on a trunk. For instance, a network engineer might add a new switch and configure the trunk, but leave the native VLAN as 1. An attacker on VLAN 1 (the default access VLAN) could then perform a double tagging attack to reach any other VLAN. This is why many organizations create a dedicated 'black hole' VLAN for native traffic that has no Layer 3 interface and no access ports.
Performance considerations: Enabling native VLAN tagging adds a small overhead because every frame on the trunk is now tagged. However, modern switches handle this without noticeable impact. The main consideration is compatibility: older devices or switches from other vendors may not support 802.1Q tagging on the native VLAN, so this feature must be tested in a lab before deployment.
When VLAN hopping prevention is misconfigured, the consequences can be severe. In one real-world case, a hospital network suffered a data breach because a contractor connected a laptop to a port that was accidentally left in dynamic desirable mode. The laptop's network card sent DTP packets (some operating systems can do this with special software) and formed a trunk, allowing the contractor to sniff traffic from the entire hospital network, including patient records. After the incident, the hospital implemented strict port security and automated configuration audits.
The CCNA 200-301 exam tests VLAN hopping prevention under Objective 5.2: Security Fundamentals. You must know the two attack types (switch spoofing and double tagging) and the commands to prevent them. The exam will present scenario-based questions where you must choose the correct configuration or identify a vulnerability.
Common wrong answers:
1. 'Enable DTP on all ports' – Some candidates think DTP is a security feature because it 'negotiates' trunks. Actually, DTP is the enabler of switch spoofing. Correct answer: Disable DTP on access ports by using switchport mode access.
2. 'Change the native VLAN to VLAN 1' – VLAN 1 is the default and should be changed to an unused VLAN. Candidates often think VLAN 1 is special or secure; it is not.
3. 'Use switchport port-security' – Port security limits MAC addresses but does not prevent VLAN hopping. An attacker can still trunk even with port security if the port is in dynamic mode.
4. 'Configure trunk ports with switchport mode dynamic desirable' – This is the opposite of what you want. Trunk ports should be manually set to trunk mode, not dynamic.
Specific values and defaults:
- Default native VLAN is VLAN 1.
- Default DTP mode on many Cisco switches is dynamic desirable or dynamic auto (varies by model and IOS version).
- The command switchport mode access disables DTP on that port.
- The command switchport trunk native vlan <vlan-id> changes the native VLAN.
- The global command vlan dot1q tag native enables native VLAN tagging.
Decision rule for scenario questions: If a question describes an attacker on an access port gaining access to other VLANs, suspect switch spoofing. If the attacker is on a native VLAN and can send frames to other VLANs, suspect double tagging. The solution always involves hardening switch ports: set access ports to switchport mode access, change native VLAN on trunks, and optionally enable native VLAN tagging.
VLAN hopping attacks include switch spoofing and double tagging.
Switch spoofing exploits DTP to turn an access port into a trunk.
Double tagging exploits the untagged nature of the native VLAN in 802.1Q.
Prevent switch spoofing by setting all access ports to 'switchport mode access'.
Prevent double tagging by changing the native VLAN on trunks to an unused VLAN.
Enable 'vlan dot1q tag native' globally to tag all frames on trunk ports.
Default native VLAN is VLAN 1; always change it on trunk ports.
DTP should be disabled on all ports that are not intended to be trunks.
These come up on the exam all the time. Here's how to tell them apart.
Switch Spoofing
Attacker imitates a switch using DTP.
Port becomes a trunk, giving access to all VLANs.
Bidirectional – attacker can send and receive traffic.
Prevented by setting access ports to 'switchport mode access'.
Requires DTP to be enabled on the target port.
Double Tagging
Attacker crafts frames with two 802.1Q tags.
Only unidirectional – attacker can send but not receive (unless return path is manipulated).
Works even on manually configured trunks if native VLAN is default.
Prevented by changing native VLAN and enabling native VLAN tagging.
Requires attacker to be on the same native VLAN as the trunk.
Mistake
DTP is a security protocol that prevents unauthorized trunking.
Correct
DTP is a negotiation protocol that can be exploited to form unauthorized trunks. It should be disabled on access ports.
Candidates often assume any 'protocol' with 'dynamic' in its name is adaptive and secure.
Mistake
VLAN hopping only works if the attacker is on the same switch as the target VLAN.
Correct
Double tagging can traverse multiple switches if the native VLAN is consistent across the path.
Candidates think VLAN hopping is limited to a single switch, but double tagging works across trunk links.
Mistake
Port security prevents VLAN hopping.
Correct
Port security limits MAC addresses but does not prevent a port from becoming a trunk via DTP.
Port security is a common security feature, so candidates assume it covers all layer 2 attacks.
Mistake
Setting the native VLAN to VLAN 1 is secure because VLAN 1 is special.
Correct
VLAN 1 is the default and well-known; it should be changed to an unused VLAN to prevent double tagging.
Candidates think VLAN 1 is reserved or protected, but it is just a default.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
Switch spoofing is an attack where a device masquerades as a switch using DTP to turn an access port into a trunk, giving access to all VLANs. Double tagging is an attack where an attacker sends a frame with two 802.1Q tags; the first switch strips the outer tag (native VLAN) and forwards the frame with the inner tag to a different VLAN. Switch spoofing is bidirectional and requires DTP; double tagging is unidirectional and exploits the native VLAN. Exam tip: If the question mentions DTP or trunk negotiation, think switch spoofing. If it mentions native VLAN or double tags, think double tagging.
To disable DTP, configure the port as a static access port using 'switchport mode access'. This prevents the port from becoming a trunk. Alternatively, on trunk ports, you can use 'switchport nonegotiate' to stop sending DTP frames, but the port must already be in trunk mode. The most common and recommended method is to set all end-user ports to 'switchport mode access'.
The default native VLAN on Cisco switches is VLAN 1. This is a well-known value and a security risk because attackers can guess it. Always change the native VLAN on trunk ports to an unused VLAN to prevent double tagging attacks.
Yes, double tagging does not rely on DTP. It works on any switch that uses 802.1Q trunking with a native VLAN. Even if DTP is disabled, if the native VLAN is left as default (VLAN 1), an attacker on VLAN 1 can perform double tagging. To prevent this, change the native VLAN and enable native VLAN tagging.
This global command forces all frames on the native VLAN to be tagged with an 802.1Q header when sent over a trunk. It is used to prevent double tagging attacks by eliminating untagged frames on trunk links. Use it on all switches that have trunk ports. Note: All devices on the trunk must support 802.1Q tagging for the native VLAN.
Changing the native VLAN to an unused VLAN is a strong mitigation, but it is not foolproof. An attacker could still guess the native VLAN through brute force or by sniffing (if they have access to one switch). Enabling 'vlan dot1q tag native' provides an additional layer of security by ensuring all frames are tagged, making double tagging ineffective. For CCNA, know both methods.
'switchport nonegotiate' is a command that prevents the interface from sending DTP frames, but it does not change the operational mode. If the port is in dynamic desirable mode, it will still respond to DTP from the other side. In contrast, 'switchport mode access' sets the port to access mode and disables DTP negotiation entirely. For access ports, always use 'switchport mode access'. For trunk ports, you can use 'switchport nonegotiate' to suppress DTP.
You've just covered VLAN Hopping Attacks and Prevention — now see how well it sticks with free CCNA 200-301 practice questions. Full explanations included, no account needed.
Done with this chapter?