Vlan Hopping Attack

secure vlan trunking
1. VLAN Hopping with Switch Spoofing
2. VLAN Hopping with double-tagged


vlan hopping with Switch Spoofing
to Gain Access to a Trunk
DTP can make switch administration easier,but it also can expose switch ports to be compromised.

a switch port is left to its default configuration(trunking mode is auto) . Normally, the switch port would wait to be asked by another switch in the auto or on mode to become a trunk.
Possible as follows:
A well-behaved end user:
 1. would not use DTP at all,
 2. so the port would come up in access mode with a single-access VLAN.
A malicious user:
 1. might exploit the use of DTP
 2. and attempt to negotiate a trunk with the switch port.
This makes the PC appear to be another switch; in effect, the PC is spoofing a switch
After the trunk is negotiated, the attacker has access to any VLAN that is permitted to pass over the trunk

to configure every switch port to have an expected and controlled behavior
configure it to static access mode
(config-if)# switchport mode access

turn off DTP on all ports
(config-if)#switchport nonegotiate

the way ,an end user never will be able to send any type of spoofed traffic that will make the switch port begin trunking.


VLAN Hopping with double-tagged
an attacker positioned on one access VLAN can craft and send frames with spoofed 802.1Q tags so that the packet payloads ultimately appear on a totally different VLAN, all without the use of a router

the attack success conditions must exist
1. The attacker is connected to an access switch port.
2. The same switch must have an 802.1Q trunk.
3. The trunk must have the attacker’s access VLAN as its native VLAN

VLAN Hopping Attack Process
環境說明:attacker連接之access port為vlan1 , 該switch使用trunk且native vlan為1
Attacker Sends a Double-Tagged Packet onto His Local Access VLAN
attack on vlan1 —[vlan1][vlan20][payload]—> (access)switch A
When switch A Is Ready to Forward the Packet onto the Trunk,
the First Tag Is Stripped Because it Is the Same as the Trunk’s Native VLAN
switch A(trunk) ===[vlan20][payload]===> (trunk)switch B
The Packet Is Received by switch B; as the Second Tag Is Stripped,
it Appears to Identify the Source VLAN as VLAN 20
switch B(access) —[payload]—> USER on vlan20
The Packet Originally from VLAN 1 Is Now Sent into VLAN 20

避免native vlan和user的access vlan設為同一個

configure trunk links with the following steps:
Step 1. Set the native VLAN of a trunk to a bogus or unused VLAN ID.
Step 2. Prune the native VLAN off both ends of the trunk
Although maintenance protocols such as CDP, PAgP, and DTP normally are carried over the native VLAN of a trunk, they will not be affected if the native VLAN is pruned from the trunk.
They still will be sent and received on the native VLAN as a special case even if the native VLAN ID is not in the list of allowed VLANs
suppose that an 802.1Q trunk should carry only VLANs 10 and 20. You
should set the native VLAN to an unused value, such as 800. Then you should remove
VLAN 800 from the trunk so that it is confined to the trunk link itself.
Switch(config)# vlan 800
Switch(config-vlan)# name bogus_native
Switch(config-vlan)# exit
Switch(config)# interface gigabitethernet 1/1
Switch(config-if)# switchport trunk encapsulation dot1q
Switch(config-if)# switchport trunk native vlan 800
Switch(config-if)# switchport trunk allowed vlan remove 800
Switch(config-if)# switchport mode trunk

to force all 802.1Q trunks to add tags to frames for the native VLAN, too
The double-tagged VLAN hopping attack won’t work because the switch won’t remove the
first tag with the native VLAN ID
1. that tag will remain on the spoofed frame as it enters the trunk
2. At the far end of the trunk, the same tag will be examined, and the frame will stay on the original access VLAN

To force a switch to tag the native VLAN on all its 802.1Q trunks
(config)# vlan dot1q tag native