Understanding VLAN Hopping Attacks

I often receive questions from CCNP candidates around what preventative measures can mitigate a VLAN hopping attack. The confusion stems from the fact that different sources (including the official certification guide form Cisco Press) often only address one of the attack types. Even different language is frequently used to describe the same attack vector – only adding to the confusion. Here’s my attempt to help explain the two primary VLAN hopping attack types and how each works.

VLAN hopping describes when an attacker connects to a VLAN to gain access to traffic on other VLANs that would normally not be accessible. There are two VLAN hopping exploit methods: switch spoofing and double tagging.

Switch Spoofing

Switch spoofing can occur when the switch port an attacker connects to is either in trunking mode or in DTP auto-negotiation mode – both allowing devices that use 802.1q encapsulation to tag traffic with different VLAN identifiers. An attacker adds 802.1q encapsulation headers with VLAN tags for remote VLANs to its outgoing frames. The receiving switch interprets those frames as sourced from another 802.1q switch (only switches usually use 802.1q encapsulation after all), and forwards the frames into the appropriate VLAN.

Switch Spoofing Mitigation

The two preventive measures against switch spoofing attacks are [1] to set edge ports to static access mode and [2] disable DTP auto-negotiation on all ports. The switchport mode access command forces the port to act as an access port, disabling any chance that it could become a trunk port and send traffic for multiple VLANs. Manually disabling Dynamic Trunking Protocol (DTP) on all ports prevents access ports configured as dynamic from forming a trunk relationship with a potential attacker.

Switch(config-if)# switchport mode access
Switch(config-if)# switchport nonegotiate

Double Tagging

A double tagging attack begins when an attacker sends a frame connected to a switch port using two VLAN tags in the frame header. If the attacker is connected to an access port, the first tag matches it. If the attacker is connected to an 802.1Q trunk port, the first tag matches that of the native VLAN (usually 1). The second tag identifies the VLAN the attacker would like to forward the frame to.


When the switch receives the attacker’s frames, it removes the first tag. It then forwards the frames out all of it’s trunk ports to neighbor switches (since they also use the same native VLAN). Because the second tag was never removed after it entered the first switch, the secondary switches receiving the frames see the remaining tag as the VLAN destination and forward the frames to the target port in that VLAN.

Notice that this requires the attack takes place at least one switch away from the switch the attacker is physically connected to. Also, The attack requires the use of 802.1Q encapsulation. Since ISL encapsulation does not use a native or unmarked VLAN, trunks running it are not susceptible to double tagging attacks.

Double Tagging Mitigation

The key feature of a double tagging attack is exploiting the native VLAN. Since VLAN 1 is the default VLAN for access ports and the default native VLAN on trunks, it’s an easy target. The first countermeasure is to remove access ports from the default VLAN 1 since the attacker’s port must match that of the switch’s native VLAN.

Switch(config-if)# switchport access vlan 10
Switch(config-if)# description access_port

The second countermeasure is to assign the native VLAN on all switch trunks to an unused VLAN.

Switch(config-if)# switchport trunk native vlan 99

Both of the above mitigation options will prevent the VLAN hopping attack, but be aware that a third option exists. You can alternatively tag the native VLAN over all trunks, disabling all untagged traffic over the interface.

Switch(config-if)# switchport trunk native vlan tag


VLAN hopping is an important concept to understand when securing production data networks (or when preparing for the CCNP exams). Both switch spoofing and double tagging can be prevented with simple trunk and access port configuration parameters.

It is also important to know that modern versions of Cisco IOS code drop 802.1Q tagged packets on incoming access ports, helping to limit the potential for a double tagging attack.

In the end, just provision ports statically, disable DTP globally, and lock down native VLANs to make your networks more secure. VLAN hopping is a complicated topic that doesn’t have to be. Understanding the attacks and countermeasures will not only help you on exam day, but will help you keep your networks more secure.

Thanks for reading and I hope you’ve found this helpful; if so let me know by leaving a comment below.

Author Aaron

Aaron knows networks. He's been involved in building and supporting world-class data networks for the past 10 years - from international cloud service providers to Fortune 50 data centers. Aaron consults independently and is focused on building the best training platform available.

More posts by Aaron

Join the discussion 8 Comments

  • Tony Ellis says:

    out of curiosity, here is a scenario. The port is configured as an access port. However, there are still two VLANs configured on the switch port as you are running a voice and data VLAN. When connecting a computer, an end user typically can’t tell what VLANs are configured on the switch. However, on a cisco phone they could easily figure out from the phone GUI what VLAN the phone is in. Is this to be of any concern? To where they tag their computer data traffic as the voice VLAN? I believe that the cisco phones though have some smarts to them to remove all tagging when traffic enters the phone port. But, I guess they could unplug the phone and then plug the computer directly into the wall port at that point. hmm…..

    • ryanwright40 . says:

      did you ever get any help with this ?

    • Aaron says:

      Hey Tony,

      This is definitely a valid concern. Workstations can plug directly into the phone and get access to the data network. Worse – they could plug a hub into the phone and connect a whole host of devices.

      The most common way to mitigate this is to apply port-security to the access ports with a maximum of two clients allowed (the phone and the normal workstation) and using the sticky parameter to allow the switch to learn only the MAC of the phone and the ligitimate workstation.

      If you don’t have any workstations connected to the phones, use port-security with a maximum of one MAC and sticky. Any other client that connects will be denied.

      • Tony Ellis says:

        Good call, i like it. Another possibility, if the user is not suppose to be plugging in their computer would be to to disable the PC port on the Cisco phone (CUCM) and configure the access port with one mac address. But, of course the site would have to be using CUCM to make this possible.

        Interesting topic, good stuff.

  • ryanwright40 . says:

    I looked at this because I am not so Computer software driven, and I have a question that might relate… I am pretty sure that I can move my Laptop to any other Vlan in my network and still be able to get on. ex I work in the IT-Vlan but I can plug into the Staff-Vlan and it still works.. and yes all laptops are DHCP,,,,?? I have most of my unused switch ports disabled.. but I could easily unplug and plug in!!

    • Aaron says:

      Hi Ryan,

      Be default, there is no user or client authentication on wired networks so if you have DHCP enabled on a VLAN and assign ports to it, you’ll certainly have access. The switch has no idea if you should or should not be able to access the network.

      Generally, networks like “IT-Vlan” would not be configured on user-facing switch ports, which avoids the problem altogether. If you do need to configure administrative VLANs on ports that certain clients should not be able to access, then you’ll need to configure some sort of port-based authentication like port security (tied to a MAC address list) or preferably 802.1X.

      Hope that helps.

      • ryanwright40 . says:

        I thought that I was forgetting something or that I totally misunderstood but that help me a lot. some times I know how it works but I second guess my self and think that there is more to it. I have suggested to my uppers but they don’t think its a good idea to lock down all the ports to port security with sticky macs and we could move to the Dynamic VLANs with 802.1x but I have heard that some networks are having issues with (2) two MACs on one port. like Voip,, or HVAC, Card Swiping systems. any advise for that ?? thank you very much for the reply.

  • Khaled says:

    Thanks for the explanation.

Leave a Reply