VLAN Hopping
What is VLAN Hopping?
VLAN HoppingA switch attack that lets a host send or receive frames in a VLAN it should not belong to by abusing trunking negotiation or 802.1Q double tagging.
VLAN hopping abuses Layer-2 segmentation provided by 802.1Q tags. Two main variants exist: switch spoofing, where the attacker negotiates a DTP trunk with the switch and then has access to every allowed VLAN; and double tagging, where the attacker sends a frame with two 802.1Q headers - the outer matching the native VLAN of the trunk, the inner identifying the victim VLAN - so the first switch strips the outer tag and forwards the frame across the trunk into the inner VLAN. The attack typically yields one-way traffic but enables reconnaissance or DoS. Defenses: disable DTP (switchport mode access, switchport nonegotiate), use a dedicated unused native VLAN, tag the native VLAN explicitly, and avoid placing user ports in trunk mode.
● Examples
- 01
Yersinia DTP attack negotiating a trunk on an access port and reaching the management VLAN.
- 02
Sending a double-tagged ICMP packet to ping a server in another VLAN through the native VLAN.
● Frequently asked questions
What is VLAN Hopping?
A switch attack that lets a host send or receive frames in a VLAN it should not belong to by abusing trunking negotiation or 802.1Q double tagging. It belongs to the Attacks & Threats category of cybersecurity.
What does VLAN Hopping mean?
A switch attack that lets a host send or receive frames in a VLAN it should not belong to by abusing trunking negotiation or 802.1Q double tagging.
How does VLAN Hopping work?
VLAN hopping abuses Layer-2 segmentation provided by 802.1Q tags. Two main variants exist: switch spoofing, where the attacker negotiates a DTP trunk with the switch and then has access to every allowed VLAN; and double tagging, where the attacker sends a frame with two 802.1Q headers - the outer matching the native VLAN of the trunk, the inner identifying the victim VLAN - so the first switch strips the outer tag and forwards the frame across the trunk into the inner VLAN. The attack typically yields one-way traffic but enables reconnaissance or DoS. Defenses: disable DTP (switchport mode access, switchport nonegotiate), use a dedicated unused native VLAN, tag the native VLAN explicitly, and avoid placing user ports in trunk mode.
How do you defend against VLAN Hopping?
Defences for VLAN Hopping typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for VLAN Hopping?
Common alternative names include: Switch spoofing, 802.1Q double tagging, Q-in-Q hopping.
● Related terms
- attacks№ 363
DTP Attack
An attack that abuses Cisco Dynamic Trunking Protocol on an access port to negotiate a trunk with the switch and gain access to multiple VLANs.
- attacks№ 1072
Spanning-Tree Protocol Attack
A Layer-2 attack that injects forged BPDU frames to manipulate the Spanning-Tree topology, often electing the attacker's host as the root bridge to enable MITM or DoS.
- attacks№ 062
ARP Spoofing
A local-network attack that sends forged ARP messages to bind the attacker's MAC address to another host's IP, redirecting traffic through the attacker.
- attacks№ 312
DHCP Spoofing
An attack in which an adversary replies to DHCP requests with crafted offers to push a malicious gateway, DNS server, or other options to victim clients.
- attacks№ 944
Rogue DHCP Server
An unauthorized DHCP server connected to a network that hands out IP configurations to clients, intentionally or accidentally redirecting traffic to attacker-controlled infrastructure.
● See also
- № 313DHCP Starvation
- № 492HSRP / VRRP Attack