VLAN Hopping Attack and Mitigation

Before jumping into the working and prevention of a VLAN hopping attack, it is obligatory to understand what a VLAN is.

VLAN is a Virtual Local Area Network in which a physical network is divided into a group of devices to interconnect them. VLAN is normally used to segment a singular broadcast domain into numerous broadcast domains in switched layer 2 networks. To communicate between two VLAN networks, a layer 3 device is required (usually a router) such that all the packets communicated between the two VLANs must pass through the 3rd OSI layer device.

In this type of network, each user is provided with an access port in order to separate VLAN’s traffic from each other, i.e., a device attached to an access port only has access to that specific VLAN’s traffic as each switch access port is connected to a particular VLAN. After getting to know the basics of what a VLAN is, let’s jump towards understanding a VLAN hopping attack and how it works.

How VLAN Hopping Attack Works

VLAN Hopping Attack is a type of network attack in which an attacker tries to gain access to a VLAN network by sending packets to it through another VLAN network with which the attacker is connected. In this kind of attack, the attacker maliciously tries to gain access to the traffic coming from other VLANs in a network or can send traffic to other VLANs in that network, to which he has no legal access. In most cases, the attacker only exploits 2 layers that segment various hosts.

The article provides a brief overview of the VLAN Hopping attack, its types, and how to prevent it with timely detection.

Types of VLAN Hopping Attack

Switched Spoofing VLAN Hopping Attack:

In switched spoofing VLAN Hopping Attack, the attacker tries to imitate a switch to exploit a legitimate switch by tricking it into making a trunking link between the attacker’s device and switch. A trunk link is a linking of two switches or a switch and a router. The trunk link carries traffic between the linked switches or the linked switches and routers and maintains the VLANs data.

The data frames that pass from the trunk link are tagged to be identified by the VLAN the data frame belongs to. Therefore, a trunk link carries the traffic of many VLANs. As packets from every VLAN are permitted to go across a trunking link, immediately after the trunk link is established, the attacker accesses traffic from all the VLANs on the network.

This attack is only possible if an attacker is linked to a switch interface whose configuration is set to either of the following, “dynamic desirable“, “dynamic auto,” or “trunk” modes. This allows the attacker to form a trunk link between their device and switch by generating a DTP (Dynamic Trunking Protocol; they are utilized to build trunk links between two switches dynamically) message from their computer.

Double Tagging VLAN Hopping Attack:

A double-tagging VLAN hopping attack can also be termed a double-encapsulated VLAN hopping attack. These types of attacks only work if the attacker is connected to an interface connected to the trunk port/link interface.

Double tagging VLAN Hopping Attack occurs when the attacker modifies the original frame to add two tags, just as most switches only remove the outer tag, they can only identify the outer tag, and the inner tag is preserved. The outer tag is linked to the attacker’s personal VLAN, while the inner tag is linked to the victim’s VLAN.

At first, the attacker’s maliciously crafted double-tagged frame gets to the switch, and the switch opens the data frame. The outer tag of the data frame is then identified, belonging to the specific VLAN of the attacker to which the link associates. After that, it forwards the frame to every single of the native VLAN links, and also, a replica of the frame is sent to the trunk link that makes its way to the next switch.

The next switch then opens the frame, identifies the second tag of the data frame as the victim’s VLAN, and then forwards it to the victim’s VLAN. Eventually, the attacker will gain access to the traffic coming from the victim’s VLAN. Double tagging attack is only one-directional, and it is impossible to confine the return packet.

Mitigation Of VLAN Hopping Attacks

Switched Spoofing VLAN Attack Mitigation:

The configuration of access ports should not be set to any of the following modes: “dynamic desirable“, “dynamic auto“, or “trunk“.

Manually set the configuration of all access ports and disable dynamic trunking protocol on all access ports with switch port mode access or switch port mode negotiation.

  • switch1 (config) # interface gigabit ethernet 0/3
  • Switch1(config-if) # switchport mode access
  • Switch1(config-if)# exit

Manually set the configuration of all trunk ports and disable dynamic trunking protocol on all trunk ports with switch port mode trunk or switch port mode negotiation.

  • Switch1(config)# interface gigabitethernet 0/4
  • Switch1(config-if) # switchport trunk encapsulation dot1q
  • Switch1(config-if) # switchport mode trunk
  • Switch1(config-if) # switch port nonegotiate

Put all unused interfaces into a VLAN and then shut down all unused interfaces.

Double Tagging VLAN Attack Mitigation:

Do not put any host in the network on the default VLAN.

Create an unused VLAN to set and use it as the native VLAN for the trunk port. Likewise, please do it for all the trunk ports; the assigned VLAN is only used for native VLAN.

  • Switch1(config)# interface gigabitethernet 0/4
  • Switch1(config-if) # switchport trunk native VLAN 400


This attack allows malicious attackers to gain access to networks illegally. The attackers can then snip away passwords, personal information, or other protected data. Likewise, they can also install malware and spyware, spread trojan horses, worms, and viruses, or alter and even erase important information. The attacker can easily sniff through all the traffic coming from the network to use it for malicious purposes. It can also disrupt the traffic with unnecessary frames to an extent.

To conclude, it can be said beyond any doubt that a VLAN hopping attack is an enormous security threat. In order to mitigate these kinds of attacks, this article equips the reader with safety and preventive measures. Likewise, there is a constant need for extra and more advanced security measures that should be added to VLAN-based networks and improve network segments as security zones.

About the author

Usama Azad

A security enthusiast who loves Terminal and Open Source. My area of expertise is Python, Linux (Debian), Bash, Penetration testing, and Firewalls. I’m born and raised in Wazirabad, Pakistan and currently doing Undergraduation from National University of Science and Technology (NUST). On Twitter i go by @UsamaAzad14