Skip to content
  • There are no suggestions because the search field is empty.

Mitigating VLAN Attacks

When VLANs are configured on a Layer 2 switch, it only supports inter-VLAN communication, so a Layer 3 device, such as a router, must be used for inter-VLAN communication. However, misconfigurations can lead to VLAN hopping and double-tagging VLAN hopping attacks, which can cause serious harm to the network when not addressed correctly.

VLAN Hopping Attack

A VLAN hopping attack involves an attacker exploiting weaknesses in the VLAN trunking protocol to gain unauthorized access to all VLANs configured on a switch. This allows the attacker to send packets to a switch that is not intended for their VLAN and gain access to sensitive information or systems on the target VLAN.

Incorrectly configured interfaces on the switch can lead to such an attack. By default, each interface on the switch is configured in dynamic mode, which allows them to operate in either access or trunk mode, and the trunk mode provides access to all VLANs available on the switch by default.

VLAN attacker topology

For example, as you can see in the image above, an attacker could use a VLAN hopping attack to bypass network security controls and gain access to VLANs 50 and 100 in the network. This could enable the attacker to steal sensitive information or perform unauthorized transactions.

Because Dynamic Trunking Protocol (DTP) is enabled by default on switch ports, it allows you, by using special tools, to negotiate a trunk link when connecting to such an interface and get access to all those VLANs allowed on that trunk link. Therefore, anytime you have an unused port on the switch operating in either dynamic mode or trunk mode, it could be a potential threat to your network.

The protection against this attack is quite simple and involves the following steps:

  1. Disable any unused ports. If you don’t need them, there is no point in having them enabled.
  2. Configure all those unused ports on your switch in access mode, which does not allow a trunk to be created, but only an access link. As a result, the interface can belong to only one VLAN instead of all available VLANs on the switch.
  3. To increase security, you can assign ports to an unused VLAN, so any potential connection to them would allow access to a place where nothing happens (blackhole).
  4. Finally, disable DTP using the switchport nonegotiate command. When you manually define the operational mode of each interface, the auto-negotiation feature is unnecessary. 

Double-Tagging VLAN Hopping Attack

Double-tagging VLAN hopping is a network attack that exploits a vulnerability in certain network switches that use VLAN tagging. This attack involves sending specially crafted frames that contain two VLAN tags, which can trick the switch into allowing the attacker to access a VLAN that they are not authorized to access.

As a result, information from one VLAN can be sent to another without using a Layer 3 device, otherwise known as the “leaking” of data. However, for this attack to work, one condition must be met. 

The attacker must belong to the same VLAN configured as native on the trunk link between the switches. As you can see in the image below, the native VLAN is 100, and the attacker connects to an interface that is part of the same VLAN.

Process topology of a frame being sent from an attacker

When the attacker wants to send data to the victim that is part of VLAN 200, they add an 802.1Q tag identifying VLAN 200. As a result, when the frame is sent, it contains two tags, the inner (hidden one) for VLAN 200 and the outer for VLAN 100.

When SW1 receives the frame, it accepts it because the source VLAN is the same as the native VLAN (in our case, VLAN 100), then discards the outer tag because it uses the same VLAN as the native one (no tagging for the native VLAN), and finally forwards the frame to SW2.

What follows next is normal switch behavior. SW2 uses the only tag inside the frame (for VLAN 200) and directs the frame to the victim in that same VLAN.

Note: This attack is unidirectional, meaning the victim cannot reply unless the attacker is part of the same VLAN.

To mitigate such an attack, you should never assign interfaces connecting end devices to the same VLAN you use as the native VLAN on the trunk link. For that reason, you create another VLAN to function as a native VLAN on the trunk link and do not use it on other interfaces.