Learning IINS (Part 5) – L2 Security

VLAN Hoping Attack

VLAN Hopping Attack allows traffic from one  Vlan to pass into another VLAN, without first being route.

VLAN hopping can disable any security measures users may have in place on the device which maps routes between the VLAN’s. Hackers use VLAN hopping to capture sensitive information such as bank account details and passwords from targeted network subscribers. VLAN hopping is also used by some attackers to corrupt, modify, or delete data from the end user’s computer. Another intended use of VLAN hopping is to propagate viruses, worms, Trojan horses, and other malicious programs such as malware and Spyware.

Two common methods of VLAN Hopping: Switch Spoofing and Double Tagging.

Switch Spoofing

Default, Ethernet Trunks on Cisco Catalyst Switches carry traffic for all VLANs.

Come Cisco Catalyst switch ports default for auto mode for trunking, which means that ports automatically become trunk ports if they receive Dynamic Trunking Protocol (DTP) frames.

Attackers could attemp to make the victim’s switch to enter trunking mode either by spoofing DTP frames (tools like Yersinia) or by connect with a real switch.


a. Disable Trunking on all ports that do not need to form trunks:

Interface  ethernet 0/1
Switch port mode access

b. Prevent the use of DTP:

Interface ethernet 0/2
Switchport trunk encapsulation dot1q
Switchport mode trunk
Switchport nonegotiate

Double Tagging

Keep in mind that On an IEEE 802.1Q Trunk (Only on dot1q trunk), the native VLAN does not add any tagging to frames travelling from one switch to another switch.

If an attacker ‘s PC belongs to the native VLAN, he could exploit this native VLAN characteristic to send traffic that has two 802.1Q Tags. The outer tag is for the native VLAN, the inner tag is for the target VLAN to which the attacker want to inject traffic.

As illustrated in Figure below, SW1 removes the outer tag (specifies the native VLAN) from frame before forwarding the frame to SW2. When receive the frame, SW2 “sees” only inner tag (VLAN100) and SW2 sends the traffic out to the target VLAN.


To help prevent a VLAN hopping attack using double tagging, do not use the native VLAN to send users’ traffic. This cound accomplished by creating a VLAN that does not  have any ports. This unused VLAN is solely for the perpose of native VLAN assignment.

Interface gigaethernet 0/3
Switchport trunk native vlan 400


One thought on “Learning IINS (Part 5) – L2 Security

  1. asiosio says:

    Thanks for your post.. But i have a question !

    You say “SW1 removes the outer tag (specifies the native VLAN) from frame “.. But how it can be possible since the Attacker is on an ACCESS port and, as far as I know, there is not 802.1Q tagging on access ports… There is 802.1Q tagging only with trunks !

    So how the switch can “read” the 802.1q tag even though this is an ACCESS port ?


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s