Double-Tagged 802.1Q Frame Bypassing VLAN Segregation
Presenting Symptom
A host in VLAN 10 can communicate with a host in VLAN 20 across a trunk link, despite VLAN access control lists and interface configurations that should prevent inter-VLAN traffic.
Network Context
Enterprise campus network with two Cisco Catalyst 2960 switches connected via a trunk link. VLANs 10 and 20 are configured on both switches. A host in VLAN 10 on Switch A can ping a host in VLAN 20 on Switch B, even though no Layer 3 routing is configured and the trunk is set to only allow VLANs 10 and 20. The switches run IOS 15.0.
Diagnostic Steps
Verify VLAN configuration and trunk allowed VLAN list
show vlan briefVLAN Name Status Ports ---- -------------------------------- --------- ------------------------------- 1 default active Fa0/1, Fa0/2, Fa0/3, Fa0/4 10 VLAN0010 active Fa0/5 20 VLAN0020 active Fa0/6 1002 fddi-default act/unsup 1003 token-ring-default act/unsup 1004 fddinet-default act/unsup 1005 trnet-default act/unsup
Check that VLANs 10 and 20 exist and that the access ports are in the correct VLANs. If VLANs are missing or ports are misconfigured, that could cause connectivity issues. But here, VLANs are present.
Check trunk configuration and allowed VLAN list
show interfaces trunkPort Mode Encapsulation Status Native vlan Gi0/1 on 802.1q trunking 1 Port Vlans allowed on trunk Gi0/1 10,20 Port Vlans allowed and active in management domain Gi0/1 10,20 Port Vlans in spanning tree forwarding state and not pruned Gi0/1 10,20
The trunk is configured to allow only VLANs 10 and 20. This is normal. However, if the native VLAN is not explicitly set to an unused VLAN, double-tagging attacks can occur. Here native VLAN is 1 (default).
Check for double-tagging by sending a test frame
debug ethernet-interfaceNot applicable; use packet capture or send a crafted frame. Alternatively, check for unexpected MAC address table entries.
Double-tagging is difficult to detect with standard show commands. The attacker sends a frame with two 802.1Q tags: the outer tag matches the native VLAN (e.g., VLAN 1) and the inner tag is the target VLAN (e.g., VLAN 20). The first switch strips the outer tag (native VLAN) and forwards the frame with the inner tag, which the second switch processes as a legitimate VLAN 20 frame.
Verify native VLAN configuration on trunk
show running-config interface gigabitEthernet 0/1interface GigabitEthernet0/1 switchport trunk encapsulation dot1q switchport mode trunk switchport trunk native vlan 1 switchport trunk allowed vlan 10,20 !
The native VLAN is set to 1 (default). This is a security risk because frames on the native VLAN are not tagged. An attacker can craft a double-tagged frame with an outer tag of VLAN 1 (native) and an inner tag of VLAN 20. The first switch strips the outer tag (since it's native) and forwards the frame with the inner tag, which the second switch accepts as a tagged frame for VLAN 20, bypassing VLAN ACLs.
Root Cause
The trunk port uses the default native VLAN (VLAN 1), which allows double-tagged 802.1Q frames to bypass VLAN segregation. An attacker can send a frame with two VLAN tags: the outer tag matches the native VLAN (1) and the inner tag is the target VLAN (20). The first switch strips the outer tag (since it is the native VLAN) and forwards the frame with the inner tag, which the second switch treats as a legitimate tagged frame for VLAN 20, allowing unauthorized inter-VLAN communication.
Resolution
Verification
After applying the fix, verify the trunk configuration: show interfaces trunk Expected output: Port Mode Encapsulation Status Native vlan Gi0/1 on 802.1q trunking 999 Port Vlans allowed on trunk Gi0/1 10,20 Port Vlans allowed and active in management domain Gi0/1 10,20 Port Vlans in spanning tree forwarding state and not pruned Gi0/1 10,20 Also, confirm that the host in VLAN 10 can no longer ping the host in VLAN 20 (unless routing is configured).
Prevention
1. Always change the native VLAN on trunk ports to an unused VLAN and prune VLAN 1 from the trunk allowed list. 2. Disable trunking on access ports and use switchport nonegotiate to prevent DTP attacks. 3. Implement VLAN access control lists (VACLs) to filter traffic between VLANs at Layer 2.
CCNA Exam Relevance
On the CCNA 200-301 exam, this scenario tests understanding of VLAN hopping attacks, specifically double-tagging. The exam may present a multiple-choice question asking which security vulnerability allows a frame to bypass VLAN segregation, or a drag-and-drop to match mitigation techniques. Key fact: Double-tagging exploits the native VLAN; mitigation is to change the native VLAN to an unused ID and prune VLAN 1.
Exam Tips
Remember that double-tagging works only when the trunk's native VLAN is the same as the attacker's access VLAN (usually VLAN 1).
The exam may ask: 'Which VLAN hopping attack involves inserting two 802.1Q tags?' Answer: Double-tagging.
Key command to memorize: 'switchport trunk native vlan <unused-vlan>' and 'switchport trunk allowed vlan remove 1'.
Commands Used in This Scenario
show interfaces trunk
Displays trunk interface status, allowed VLANs, and pruning information for all trunk ports on a Cisco switch, used to verify trunking configuration and VLAN membership.
show vlan brief
Displays a summary of all VLANs configured on the switch, including VLAN ID, name, status, and ports, used to quickly verify VLAN configuration and port assignments.
Test Your CCNA Knowledge
Practice with scenario-based questions to prepare for the CCNA 200-301 exam.
Practice CCNA Questions