This chapter covers VLAN hopping attacks, a critical network security threat that exploits weaknesses in VLAN configuration to bypass network segmentation. For the N10-009 exam, this topic falls under Domain 4.0 (Network Security), Objective 4.1: 'Explain common security concepts and vulnerabilities.' Approximately 5-10% of exam questions may touch on VLAN hopping, either directly or as part of broader switch security concepts. Understanding the mechanisms of double-tagging and switch spoofing is essential for both the exam and real-world network defense.
Jump to a section
Imagine a hotel with multiple floors (VLANs), each floor secured by a key card system. Guests on floor 2 can only access floor 2; floor 3 guests only floor 3. The elevator (switch) enforces this by checking each guest’s key card (VLAN tag) before allowing them to press a floor button. Now, a malicious guest on floor 2 has a modified key card that, when swiped, tricks the elevator into thinking it’s a maintenance key (native VLAN tag). The elevator, not properly configured to reject such cards, lets the guest press any floor button. Worse, the guest can also attach a device to the elevator’s panel that pretends to be the elevator’s own management system (DTP negotiation) and convinces the elevator to grant full access to all floors. This is exactly how VLAN hopping works: an attacker exploits the native VLAN or dynamic trunking protocol to gain unauthorized access to other VLANs, bypassing the intended segmentation.
What is VLAN Hopping?
VLAN hopping is a network attack that allows an attacker on one VLAN to gain unauthorized access to traffic on another VLAN. This breaks the fundamental security principle of VLANs: isolation between broadcast domains. The attack exploits either the native VLAN (double-tagging) or the Dynamic Trunking Protocol (DTP) (switch spoofing). Both methods rely on misconfigurations in VLAN trunking.
Double-Tagging Attack
Double-tagging (also known as VLAN hopping via 802.1Q) exploits the way switches handle 802.1Q tags on trunk ports. In a typical scenario, the attacker is connected to a switch port configured as an access port on the native VLAN (usually VLAN 1). The attacker crafts frames with two 802.1Q tags: an outer tag matching the native VLAN and an inner tag targeting the victim VLAN (e.g., VLAN 10).
Frame Construction: The attacker sends a frame with two VLAN tags. The outer tag is the native VLAN (e.g., VLAN 1), and the inner tag is the target VLAN (e.g., VLAN 10). The switch’s access port strips the outer tag (since it’s the native VLAN) and forwards the frame to a trunk port.
Trunk Processing: When the frame reaches the trunk port, the switch sees the inner tag (VLAN 10) and forwards it to the VLAN 10 network. The native VLAN tag is removed by the access port, so the trunk port only sees the inner tag.
Delivery: The frame reaches the destination in VLAN 10, appearing as if it came from the native VLAN. The attack is unidirectional – the attacker can send frames to the victim VLAN but cannot receive responses unless the victim sends traffic to the attacker’s IP (which would be routed back).
This attack only works if the attacker’s access port is on the native VLAN. It also requires the trunk port to strip the outer tag, which is standard behavior for native VLAN frames on an 802.1Q trunk.
Switch Spoofing Attack
Switch spoofing exploits DTP (Dynamic Trunking Protocol) to negotiate a trunk link between the attacker’s device and the switch. DTP is a Cisco proprietary protocol that automatically negotiates trunking between switches. By default, many Cisco switch ports are in dynamic desirable or dynamic auto mode, which allows DTP negotiation.
DTP Negotiation: The attacker connects a device configured to send DTP frames requesting trunk mode. The switch port, if in dynamic desirable or dynamic auto mode, will agree to form a trunk.
Trunk Establishment: Once the trunk is established, the attacker’s device becomes a trunk endpoint, receiving all VLAN traffic that traverses the trunk. The attacker can then sniff traffic from any VLAN allowed on the trunk.
Exploitation: The attacker can now inject frames with any VLAN tag, effectively hopping to any VLAN. This attack is bidirectional – the attacker can both send and receive traffic on any VLAN.
Key Components and Defaults
- Native VLAN: Default is VLAN 1 on most switches. The native VLAN is used for untagged traffic on a trunk. Double-tagging attacks require the attacker to be on the native VLAN. - DTP Modes: - Dynamic desirable: The port actively tries to become a trunk. - Dynamic auto: The port will become a trunk if the neighbor requests it. - Trunk: The port is always a trunk. - Access: The port is always an access port. - 802.1Q: The IEEE standard for VLAN tagging. It inserts a 4-byte tag after the source MAC address. The tag includes a 12-bit VLAN ID (0-4095, with 0 and 4095 reserved).
Configuration and Verification Commands
To prevent VLAN hopping, disable DTP on all user-facing ports and change the native VLAN on trunk ports.
Cisco IOS configuration:
! Disable DTP on an access port
interface GigabitEthernet0/1
switchport mode access
switchport nonegotiate
! Change native VLAN on a trunk
interface GigabitEthernet0/2
switchport trunk native vlan 999
switchport mode trunk
switchport nonegotiate
! Verify DTP status
show dtp interface GigabitEthernet0/1
! Verify trunk configuration
show interfaces trunkJuniper Junos configuration:
set interfaces ge-0/0/1 unit 0 family ethernet-switching port-mode access
set interfaces ge-0/0/1 unit 0 family ethernet-switching native-vlan-id 999Interaction with Related Technologies
VLAN Access Control Lists (VACLs): Can filter traffic between VLANs at Layer 2, but do not prevent VLAN hopping if the attacker can inject frames directly into the trunk.
Private VLANs: Isolate ports within the same VLAN but do not protect against trunk-based attacks.
802.1X: Port-based authentication can prevent unauthorized devices from connecting, but if the attacker is authenticated, they could still exploit misconfigurations.
DHCP Snooping and Dynamic ARP Inspection: These mitigate certain Layer 2 attacks but do not directly prevent VLAN hopping.
Attacker identifies native VLAN
The attacker first determines the native VLAN on the target switch. This can be done by sending a frame with a specific VLAN tag and observing how the switch handles it, or by sniffing traffic if the attacker already has access to the native VLAN. Tools like Yersinia or Scapy can craft frames to test VLAN tagging. The native VLAN is often VLAN 1 by default, but may be changed by administrators.
Craft double-tagged frame
Using a packet crafting tool, the attacker creates an Ethernet frame with two 802.1Q tags. The outer tag is set to the native VLAN (e.g., VLAN 1), and the inner tag is the target VLAN (e.g., VLAN 10). The frame contains a payload such as an ICMP echo request to a victim in VLAN 10. The attacker sends this frame from their access port on the native VLAN.
Switch strips outer tag
The switch receives the frame on an access port configured for the native VLAN. According to 802.1Q, the switch removes the outer VLAN tag because it matches the native VLAN. The frame now only has the inner tag (VLAN 10). The switch then forwards the frame to all trunk ports that carry VLAN 10.
Frame forwarded to victim VLAN
The trunk port sees the frame tagged with VLAN 10 and forwards it to the VLAN 10 network. The frame reaches the victim device in VLAN 10. The victim processes the frame and may send a response. However, the response will be routed back to the attacker's IP address, which may be on a different subnet, so the attacker may not receive the reply unless routing is configured.
Switch spoofing via DTP
Alternatively, the attacker connects a device that sends DTP frames requesting trunk mode. If the switch port is in dynamic desirable or dynamic auto mode, the port becomes a trunk. The attacker then has access to all VLANs allowed on the trunk. The attacker can sniff traffic and inject frames into any VLAN.
In a typical enterprise, VLANs are used to segment departments such as HR, Finance, and IT. A VLAN hopping attack could allow an attacker in the guest VLAN to access sensitive financial data. For example, a hospital may use VLANs to separate patient records (HIPAA-sensitive) from public Wi-Fi. An attacker exploiting double-tagging could send malicious packets to the patient records server.
Scenario 1: Double-Tagging in a Multi-Tenant Data Center
A cloud provider uses VLANs to isolate tenants. Each tenant has their own VLAN. The native VLAN is left as default (VLAN 1) for management traffic. An attacker in Tenant A's VLAN (which is not the native VLAN) cannot directly perform double-tagging. However, if the attacker gains access to the management network (native VLAN) through another vulnerability, they can launch double-tagging attacks against other tenants. The solution is to change the native VLAN to an unused VLAN (e.g., VLAN 999) and prune all user VLANs from the native VLAN.
Scenario 2: Switch Spoofing in a Campus Network
A university has hundreds of switches across multiple buildings. Some ports are configured in dynamic desirable mode for flexibility. A student connects a laptop running a DTP spoofing tool and negotiates a trunk. The student can then monitor traffic from other VLANs, including exam servers and administrative systems. The fix is to disable DTP on all access ports using switchport nonegotiate and set ports to switchport mode access.
Common Misconfigurations: - Leaving native VLAN as VLAN 1. - Using DTP on user-facing ports. - Allowing all VLANs on a trunk instead of pruning unused VLANs. - Not using dedicated management VLANs.
Performance Considerations: - Double-tagging adds 4 bytes per tag, but modern switches handle this without significant performance impact. - DTP negotiation adds minimal overhead but can cause trunk flapping if misconfigured.
What Goes Wrong: - If the native VLAN is changed inconsistently across switches, trunk links may fail to pass traffic. - Disabling DTP on ports that need to trunk manually requires explicit trunk configuration, which can be overlooked. - Double-tagging attacks are hard to detect because they use legitimate frame formats.
N10-009 Objective 4.1: 'Given a scenario, apply common security concepts to network security.' VLAN hopping is a specific attack type that candidates must recognize and know how to mitigate.
Common Wrong Answers: 1. 'VLAN hopping is prevented by using VLAN ACLs.' – VACLs filter traffic between VLANs but do not prevent an attacker from injecting frames directly into a trunk. The attacker bypasses ACLs by tagging frames. 2. 'Double-tagging allows bidirectional communication.' – Double-tagging is unidirectional; the attacker can send but not receive replies unless the victim sends traffic to the attacker's IP (which is on a different subnet). 3. 'Switch spoofing requires physical access to a trunk port.' – Actually, it exploits DTP on access ports. 4. 'Changing the native VLAN to an unused VLAN completely prevents double-tagging.' – While it helps, if the attacker can discover the new native VLAN, the attack still works. The best defense is to also prune the native VLAN from all trunks.
Exam-Specific Values: - Default native VLAN: 1. - DTP modes: dynamic desirable, dynamic auto, trunk, access. - 802.1Q tag size: 4 bytes. - VLAN ID range: 1-4094 (0 and 4095 reserved).
Edge Cases: - If the trunk port uses ISL (Cisco proprietary) instead of 802.1Q, double-tagging does not work because ISL encapsulates the entire frame differently. - On switches that support Q-in-Q (Provider Bridging), double-tagging is a legitimate feature, but it can be exploited if not secured.
Elimination Strategy: - If the question mentions 'native VLAN' and 'double tag', the answer is double-tagging. - If the question mentions 'DTP' or 'dynamic trunk', the answer is switch spoofing. - Mitigation always involves disabling DTP and changing the native VLAN.
VLAN hopping attacks bypass VLAN segmentation using double-tagging or switch spoofing.
Double-tagging requires the attacker to be on the native VLAN (default VLAN 1).
Switch spoofing uses DTP to negotiate a trunk, giving the attacker access to all VLANs.
Mitigation: Disable DTP on all access ports with 'switchport nonegotiate' and set ports to 'switchport mode access'.
Change the native VLAN on all trunk ports to an unused VLAN (e.g., VLAN 999) and prune the native VLAN from trunk links.
Double-tagging is unidirectional; switch spoofing is bidirectional.
DTP has four modes: dynamic desirable, dynamic auto, trunk, and access. Only access mode prevents trunk negotiation.
802.1Q adds a 4-byte tag; native VLAN frames are untagged on a trunk.
VLAN hopping is a Layer 2 attack, not Layer 3.
Always use dedicated management VLANs separate from user traffic.
These come up on the exam all the time. Here's how to tell them apart.
Double-Tagging
Exploits 802.1Q native VLAN behavior
Unidirectional – attacker can send but not reliably receive
No special protocol required – just crafted frames
Works on any 802.1Q-compliant switch
Mitigated by changing native VLAN and pruning
Switch Spoofing
Exploits DTP (Cisco proprietary)
Bidirectional – attacker can both send and receive
Requires DTP negotiation
Only works on switches that support DTP
Mitigated by disabling DTP on access ports
Mistake
VLAN hopping only works on Cisco switches.
Correct
While DTP is Cisco proprietary, double-tagging works on any switch that supports 802.1Q. The attack exploits the standard behavior of 802.1Q trunking, not a vendor-specific feature.
Mistake
Double-tagging allows the attacker to receive responses from the victim.
Correct
Double-tagging is unidirectional. The attacker can send frames to the victim VLAN, but responses are delivered to the attacker's MAC address in the native VLAN. Since the attacker's IP is usually on a different subnet, the response may not reach them unless routing is configured.
Mistake
Setting all ports to access mode prevents VLAN hopping.
Correct
This prevents switch spoofing but does not prevent double-tagging if the attacker is on the native VLAN. Double-tagging exploits trunk ports, not the attacker's access port.
Mistake
VLAN hopping is a Layer 3 attack.
Correct
VLAN hopping is a Layer 2 attack that exploits VLAN tagging and trunk negotiation at the data link layer.
Mistake
Using VLAN 1 as the native VLAN is safe because it is the default.
Correct
VLAN 1 is the most common native VLAN, making it a prime target. Always change the native VLAN to an unused VLAN and prune VLAN 1 from trunks.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
Double-tagging exploits the native VLAN on 802.1Q trunks. Step 1: The attacker on the native VLAN sends a frame with two VLAN tags – outer tag matches the native VLAN, inner tag is the target VLAN. Step 2: The access port strips the outer tag (native VLAN). Step 3: The frame, now only tagged with the inner VLAN, is forwarded across trunk ports to the target VLAN. The attacker can send frames but cannot receive responses unless routing is configured.
Double-tagging exploits the native VLAN and does not require any special protocol – it works on any 802.1Q switch. Switch spoofing uses DTP to negotiate a trunk, allowing the attacker to send and receive traffic on all VLANs. Double-tagging is unidirectional; switch spoofing is bidirectional. Switch spoofing only works on switches that support DTP (Cisco).
Prevent VLAN hopping by: (1) Disabling DTP on all access ports using 'switchport nonegotiate' and setting them to 'switchport mode access'. (2) Changing the native VLAN on trunk ports to an unused VLAN (not VLAN 1). (3) Pruning unused VLANs from trunk links. (4) Using dedicated management VLANs. These steps mitigate both double-tagging and switch spoofing.
No. Double-tagging exploits 802.1Q's native VLAN handling. ISL (Inter-Switch Link) encapsulates the entire frame and does not have a native VLAN concept. However, switch spoofing via DTP can still work on ISL trunks because DTP operates independently of the encapsulation. ISL is obsolete, so most modern switches use 802.1Q.
Common tools include Yersinia (for DTP attacks) and Scapy (for crafting double-tagged frames). Other tools like VoipHopper can also be used. These tools allow an attacker to send DTP frames or craft custom 802.1Q tags.
VLAN hopping affects only switches that are misconfigured. If a switch has DTP enabled on access ports or uses default native VLAN, it is vulnerable. Properly configured switches are not affected. The attack can propagate across multiple switches if trunk links are involved.
Detection is challenging because the frames appear legitimate. Signs include unexpected DTP negotiation on access ports, unknown devices becoming trunk endpoints, or traffic from unexpected VLANs on an access port. Enable port security, DHCP snooping, and use SNMP monitoring to detect unusual trunk formation.
You've just covered VLAN Hopping Attacks — now see how well it sticks with free N10-009 practice questions. Full explanations included, no account needed.
Done with this chapter?