VLAN Hopping – CompTIA Network+ N10-007 – 4.4


VLAN hopping allows an attacker to send frames to a device on a different VLAN. In this video, you’ll learn how switch spoofing and double tagging can be used when vlan hopping.

<< Previous Video: Brute Force Attacks Next: Man-in-the-Middle >>


Many organizations use VLANs to separate the network into different parts. This may be for organizational reasons. It might also be for security reasons. So you might have a VLAN for the network engineering team, a VLAN for shipping and receiving, and a separate VLAN for the accounting department.

This means if someone in the accounting department is accessing the network, then they have access to all of the other devices that are on the accounting VLAN. And best practice is that you would only have access to the devices that are on your local VLAN. But there are some techniques that might allow someone to hop to another VLAN. Obviously, this is something that should not be happening, and we want to be sure that we’re protecting against somebody who’s able to access a VLAN that’s not their own.

There are two primary methods that people are using to hop between VLANs this way. One is called switch spoofing, and the other one is double tagging. Many trunks allow you to set up an automatic configuration mode. This is called trunk negotiation. And it allows you to plug in a device to a switch, and that switch will determine if the device you plugged in is a normal access device– such as a laptop or a computer– or if the device you’re plugging in might be another switch.

This automatic configuration doesn’t have any type of authentication associated with it. So if you wanted to pretend that you were a switch, you could use specialized software and connect to a switch that had this automatic configuration, and instead of the switch thinking of you as a laptop or a desktop, it would then consider that you were another switch on the network. At that point, you would negotiate the trunks that were required across this particular link, just as if you were connecting two switches to each other. And now you’re able to send information to any of the VLANs that would be supported over that trunk connection.

This switch spoofing would effectively give anyone access to VLANs that were supported on that remote switch. This is why a switch administrator would normally disable this particular automatic trunk negotiation. The administrator should instead manually define which interfaces on a switch are for a trunk, and which interfaces on a switch are for access devices.

Normally, when a frame is sent across a trunk connection, there’s a tag that’s added to that frame. On the other side, that tag is evaluated and removed, and that data is sent to the correct VLAN on the other side. One way to get around this functionality is to include two tags with a particular frame going over VLAN. And with double tagging, we’re able to use the native VLAN of a particular switch to gain access to a VLAN that normally we would not have access to.

This double tagging attack uses two different switches. The first switch removes the first tag associated with the frame. And the second switch removes the second tag associated with the frame, and forwards that data to the separate VLAN.

This also means that this particular kind of attack can only work in one direction. There’s no way to put two tags on the return frame. So whenever you’re sending information using this double tagging attack, you’re sending it without ever receiving a response back from the other device. This limits some of the things that you might be able to do with this attack, but it certainly could be used for something like a denial of service.

One way to avoid a double tagging attack is not to allow someone access to the native VLAN. You would change the native VLAN ID and force anyone going over the native VLAN to use tagging. Here’s how this double tagging works. We have an attacker’s computer, and a victim computer. You notice the attackers on VLAN 10, and the victim device is on VLAN 20.

Normally, these two devices would not be able to communicate directly with each other. They would have to go through a router at the very least. But by using double tagging, we can hop through both of these switches and have our data end up on a different VLAN.

Here’s the frame that we’re going to send. It’s an Ethernet frame that has two tags inside of it. One tag for VLAN 10, and one tag for VLAN 20. That frame will be sent to the first switch, and that switch is going to evaluate the first tag associated in this frame. That will be the tag for VLAN 10.

It removes that tag, and that frame that’s leftover still has a tag for VLAN 20. So it will send it across this trunk to VLAN 20, where this switch will perform the normal removal of the tag and send this data down to the victim’s workstation. Obviously, any data that comes from VLAN 10 should not suddenly appear on VLAN 20. This double tagging attack allows this attacking device to send information directly to this victim.