VLAN Hopping

This topic is to discuss the following lesson:

https://networklessons.com/cisco/ccnp-switch/vlan-hopping/

Dear René,

Thank you very much for this great job !

I have a couple of questions about double tagging :

To be effective and exploited, this attack means that the attacker frame is not already in a port with a vlan other than the native vlan ?

In this sentence : “When the switch receives the frame, it will remove the first 802.1Q tag and forwards the frame with the second 802.1Q tag on its trunk interface(s).” Why the switch remove the first tag when this one " enter " the trunk ? Removing tags occurs when the frame exit the trunk for being delivered to the destination host ? Isn’t it ?

If it is a " native vlan " does the switch remove the tag at the entry of the trunk ? We use the native vlan to specify untagged frames ?

To be honest, not very clear for me :slight_smile:

Prince

Hi Prince,

Normally when a switch receives a tagged frame, it will remove the tag and then forwards it on access interfaces or other trunks. If it is sent on other trunk interfaces, then it will be tagged again.

With VLAN hopping, the VLAN of the attacker has to be the same as the native VLAN on the trunk. Here’s what happens:

  1. The attacker sends a double tagged frame, an inner (20) and outer (1) VLAN tag. The outer tag matches the native VLAN of the trunk.
  2. The switch receives the double tagged frame, looks at the outer VLAN (1) tag and removes it.
  3. The switch forwards the frame on all interfaces that belong to the native VLAN (1), this includes trunks.
  4. The frame (with one tag left) is forwarded to the other switch, which looks at the VLAN (2) tag and forwards it on all interfaces that belong to that VLAN 20.
Hope this helps!

Rene

1 Like

For sure René, it helps a lot

Thank you again for the great job! Well done!

Prince

Hi, Rene.

I confess that this lesson be confused, since I know frames that are received by the switch on access ports are dropped. The SW1 FastEthernet0/1 interface should be configured in trunk mode for this attack to work, correct?

Hi Stefanio,

I understand this can be confusing. When you read about VLAN hopping, they usually talk about interfaces in access mode that accept frames with two VLAN tags. The first tag is ignored, the second one allows you to jump from one VLAN to another.

The 3560 switch that I used didn’t like this at all…it does not accept a frame that is tagged if the interface is configured in access mode. I didn’t test it but older switches (or IOS images), or other vendors switches, might accept a double-tagged frame on an access mode interface, making VLAN hopping possible.

In my example, I had to set Fa0/1 on SW1 to trunk mode for it to accept double VLAN tags. On modern IOS switches, VLAN hopping on access mode interfaces is no longer an issue.

1 Like

Will the switch accept the frame if the switchport is configured with a voice vlan?

Hello Zahchary

This is a good point you make. A port that is configured with a voice VLAN is an access port, but it will accept tagged frames as long as they are tagged with the configured voice VLAN ID. A switch uses CDP to communicate with Cisco IP Phones and let them know what the voice VLAN ID is. If your phones are not Cisco, you will have to know the VLAN ID and configure it manually. If you know this VLAN ID you may be able to gain unauthorized access to the voice VLAN if you connect your own switch to the network jack where the phone is plugged in. For this you will have to employ additional Layer 2 security parameters like port security.

For more info on some of these topics, take a look at the following lessons:


I hope this has been helpful!

Laz