Chapter 10: VLAN Hopping Attacks and Countermeasures

10.1 Introduction

Virtual Local Area Networks (VLANs) are a cornerstone of modern network design, enabling logical segmentation of a network into smaller broadcast domains. This segmentation offers numerous benefits, including improved performance, simplified management, and enhanced security by isolating different user groups, departments, or sensitive systems. However, the very nature of VLANs, particularly their reliance on shared physical infrastructure and trunking protocols, introduces potential vulnerabilities if not properly secured.

This chapter delves into the intricacies of VLAN hopping attacks, a category of exploits that allow an attacker to bypass VLAN segmentation and gain unauthorized access to other VLANs. We will explore the common attack vectors, understand the underlying technical mechanisms that make these attacks possible, and provide comprehensive countermeasures across multi-vendor environments.

Why is this chapter important? In an era where network segmentation is critical for compliance (e.g., PCI DSS, HIPAA) and cybersecurity defense, understanding and mitigating VLAN hopping is paramount. Misconfigured or insecure VLAN environments can render the benefits of segmentation moot, potentially leading to unauthorized data access, network disruption, and severe security breaches.

What you’ll be able to do after reading this chapter:

Understand the principles of VLANs and 802.1Q trunking.
Identify the two primary types of VLAN hopping attacks: Switch Spoofing and Double Tagging.
Analyze the mechanisms by which these attacks exploit VLAN configurations.
Implement robust countermeasures on Cisco and Juniper network devices.
Automate the deployment of VLAN security configurations using Ansible.
Troubleshoot and verify secure VLAN configurations.
Apply best practices to prevent VLAN hopping in enterprise networks.

10.2 Technical Concepts

Before diving into the attacks, let’s briefly review the foundational concepts of VLANs and trunking.

10.2.1 IEEE 802.1Q VLAN Tagging

IEEE 802.1Q, ratified by the Institute of Electrical and Electronics Engineers, defines the standard for VLAN tagging on Ethernet networks. It specifies a method for inserting a 4-byte tag into an Ethernet frame header to identify the VLAN to which the frame belongs. This tag allows multiple VLANs to share a single physical link (a trunk link) between switches or between a switch and a router.

802.1Q Tag Structure (Simplified):

packetdiag {
  colwidth = 32
  0-15: Destination MAC Address (6 bytes)
  16-31: Source MAC Address (6 bytes)
  32-47: EtherType (0x8100 for 802.1Q)
  48-50: Priority Code Point (PCP) - 3 bits for QoS
  51: Drop Eligible Indicator (DEI) - 1 bit
  52-63: VLAN Identifier (VID) - 12 bits (4096 possible VLANs)
  64-79: Length/Type (Original EtherType/Length)
  80-N: Payload
  N-M: Frame Check Sequence (FCS)
}

EtherType (0x8100): Indicates that the frame carries an 802.1Q tag.
PCP (Priority Code Point): Used for Quality of Service (QoS), allowing prioritization of traffic.
DEI (Drop Eligible Indicator): Can be used in conjunction with PCP to indicate frames that can be dropped during congestion.
VID (VLAN Identifier): A 12-bit field that uniquely identifies the VLAN to which the frame belongs, allowing for 4094 usable VLANs (0 and 4095 are reserved).

Trunk Links and Native VLAN

A trunk link is a point-to-point link that carries traffic for multiple VLANs. Switches typically encapsulate frames with an 802.1Q tag when sending them over a trunk, specifying the VLAN ID.

The native VLAN is a special VLAN configured on an 802.1Q trunk link. Frames belonging to the native VLAN are not tagged when transmitted over the trunk. Conversely, any untagged frames received on a trunk port are assumed to belong to the native VLAN. This behavior, while seemingly innocuous, is a critical vulnerability point for double-tagging attacks. By default, the native VLAN is often VLAN 1.

10.2.2 VLAN Hopping Attack Types

VLAN hopping attacks exploit vulnerabilities in the way switches handle 802.1Q tagging and trunking protocols. There are two primary types:

10.2.2.1 Switch Spoofing (Dynamic Trunking Protocol - DTP Spoofing)

Switch spoofing exploits the Dynamic Trunking Protocol (DTP), a Cisco proprietary protocol (though similar concepts exist in other vendors) designed to negotiate trunking status between two connected switches. If a switch port is configured in dynamic auto or dynamic desirable mode, it will attempt to form a trunk link with the device it connects to.

How it works:

An attacker connects a host (e.g., a laptop running specialized software like Yersinia) to a switch port configured for DTP negotiation (e.g., dynamic auto).
The attacker’s host spoofs itself as a switch by sending DTP negotiation messages that request to form a trunk link.
If the legitimate switch port is in dynamic auto or dynamic desirable mode, it will respond by forming a trunk link with the attacker’s host.
Once a trunk link is established, the attacker’s host can send and receive traffic for all VLANs allowed on that trunk, effectively “hopping” from their assigned VLAN to any other VLAN on the network.

Diagram: Switch Spoofing Attack Scenario

@startuml
!theme mars

' Step 1: Define ALL elements first
actor Attacker
rectangle "Attacker's Host (Spoofing Switch)" as AttackerHost {
    component "Malicious DTP Software" as DTP_SW
}
node "Vulnerable Switch" as SW1 {
    port "Access Port (Dynamic Auto/Desirable)" as Port_Vulnerable
}
node "Target Server (VLAN 20)" as TargetServer

' Step 2: Then connect them
Attacker -- DTP_SW
AttackerHost -- Port_Vulnerable : Ethernet Link (DTP Negotiation)
Port_Vulnerable -- SW1
SW1 -- TargetServer : Access to Target VLAN (VLAN 20)

note left of AttackerHost
Attacker sends DTP frames,
spoofing as a legitimate switch.
end note

note right of SW1
Vulnerable port in 'dynamic auto'
or 'dynamic desirable' mode forms
a trunk with the attacker.
end note

AttackerHost -[dashed]-> TargetServer : Unauthorised Access to VLAN 20
@enduml

10.2.2.2 Double Tagging (802.1Q Tag Stacking)

Double tagging, also known as 802.1Q tag stacking or VLAN encapsulation, is a more subtle attack that does not require DTP. It exploits the native VLAN configuration on an 802.1Q trunk link.

How it works:

An attacker crafts a malicious Ethernet frame with two 802.1Q tags:
- Outer tag: The VLAN ID matches the native VLAN of the switch port to which the attacker is connected (this port must be an access port).
- Inner tag: The VLAN ID matches the target VLAN that the attacker wishes to access.
The attacker sends this double-tagged frame to the switch.
When the switch receives the frame on an access port, it removes the outer tag (because it matches the native VLAN of the access port’s implicit configuration) and then processes the frame.
The switch then sees the inner tag, which now appears to be the legitimate 802.1Q tag for the frame. It forwards this frame to the appropriate trunk port, which then delivers it to the target VLAN.
Crucially, this attack relies on the fact that the switch only removes one tag from an incoming frame.

Diagram: Double Tagging Attack Scenario

@startuml
!theme mars

' Step 1: Define ALL elements first
actor Attacker
node "Attacker's Host" as AttackerHost
node "Access Switch" as AccessSW {
    port "Port 1 (Access, VLAN 10, Native VLAN 1)" as Port1
    port "Trunk Port (VLAN 10,20,30, Native VLAN 1)" as TrunkPort
}
node "Core Switch" as CoreSW
node "Target Server (VLAN 20)" as TargetServer

' Step 2: Then connect them
AttackerHost -- Port1 : "Double-tagged frame: Outer=VLAN 10 (Native), Inner=VLAN 20"
Port1 -- AccessSW
AccessSW -- TrunkPort
TrunkPort -- CoreSW : Inner tag (VLAN 20) is forwarded
CoreSW -- TargetServer : Frame delivered to VLAN 20

note left of AttackerHost
Attacker crafts frame with:
Outer tag = Native VLAN (e.g., VLAN 10)
Inner tag = Target VLAN (e.g., VLAN 20)
end note

note right of AccessSW
Access switch removes outer tag (VLAN 10).
Inner tag (VLAN 20) is now visible and forwarded.
end note

@enduml

Packet Diagram: Double Tagged Frame Structure

packetdiag {
  colwidth = 32
  0-15: Destination MAC
  16-31: Source MAC
  32-47: 0x8100 (Outer 802.1Q EtherType)
  48-63: Outer PRI | DEI | **Native VLAN ID** (e.g., VLAN 10)
  64-79: 0x8100 (Inner 802.1Q EtherType)
  80-95: Inner PRI | DEI | **Target VLAN ID** (e.g., VLAN 20)
  96-127: Original EtherType / Length
  128-N: Payload
  N-M: FCS
}

RFC/Standard References:

IEEE 802.1Q-2022: This is the latest version of the standard for Virtual Bridged Local Area Networks. While the search results mention older versions, always refer to the most current iteration. It defines the core tagging mechanism.
IEEE 802.1ad (QinQ): While QinQ is a legitimate technology for provider bridges (stacking multiple 802.1Q tags), the double-tagging attack leverages the basic 802.1Q behavior, not necessarily an explicit QinQ configuration. The attack is a side-effect of how a switch processes a single 802.1Q tag and then sees another, rather than a deliberate QinQ implementation.

10.3 Configuration Examples (Multi-vendor Countermeasures)

Implementing effective countermeasures is crucial. The following examples demonstrate how to mitigate VLAN hopping on Cisco and Juniper devices.

10.3.1 Countermeasures for Switch Spoofing (DTP Spoofing)

The primary defense against switch spoofing is to disable DTP or force ports into a specific mode.

10.3.1.1 Cisco IOS/IOS-XE/NX-OS

Best Practice:

Disable DTP: Configure access ports as switchport mode access and trunk ports as switchport mode trunk.
Explicitly disable DTP negotiation: Use switchport nonegotiate on trunk ports.

! Cisco Catalyst 9300 (IOS-XE) - Global configuration for interfaces
!
! **WARNING:** Applying these configurations without understanding
! your network's existing DTP usage can cause connectivity loss.
! Always plan and test changes in a controlled environment.
!
! Example 1: Securing an Access Port
interface GigabitEthernet1/0/1
  description User_Access_Port_VLAN_10
  switchport mode access
  switchport access vlan 10
  switchport nonegotiate
  spanning-tree portfast
  spanning-tree bpduguard enable
  no shutdown
exit

! Example 2: Securing a Trunk Port (to another switch)
interface GigabitEthernet1/0/2
  description Inter_Switch_Trunk_to_Core
  switchport mode trunk
  switchport trunk allowed vlan 10,20,30,100
  switchport trunk native vlan 999 ! Always change native VLAN from default (VLAN 1)
  switchport nonegotiate             ! Explicitly disables DTP on this port
  no shutdown
exit

! Verification Commands
show interfaces GigabitEthernet1/0/1 switchport
show interfaces GigabitEthernet1/0/2 switchport
show interfaces GigabitEthernet1/0/1 trunk
show interfaces GigabitEthernet1/0/2 trunk

Expected Output (Cisco - relevant sections):

! For GigabitEthernet1/0/1 (Access Port)
Mode: Access
Access Mode VLAN: 10 (VLAN0010)
Administrative Trunking Encapsulation: dot1q
Negotiation of Trunking: Off   <-- This is key!

! For GigabitEthernet1/0/2 (Trunk Port)
Mode: Trunk
Trunking Native Mode VLAN: 999 (VLAN0999)
Administrative Trunking Encapsulation: dot1q
Negotiation of Trunking: Off   <-- This is key!

10.3.1.2 Juniper Junos OS

Junos OS switches do not implement DTP. Trunking and access modes are explicitly configured without dynamic negotiation. Therefore, switch spoofing through DTP is not a direct threat to Juniper devices. However, explicit configuration is still best practice.

Best Practice:

Explicitly configure interface mode: Set interface-mode access for access ports and interface-mode trunk for trunk ports.
Change native VLAN: Always configure native-vlan-id to an unused VLAN for trunk ports.

# Juniper EX4600 (Junos OS) - Global configuration for interfaces
#
# **WARNING:** Applying these configurations can affect network connectivity.
# Always plan and test changes in a controlled environment.
#
set interfaces ge-0/0/1 description "User_Access_Port_VLAN_10"
set interfaces ge-0/0/1 unit 0 family ethernet-switching interface-mode access
set interfaces ge-0/0/1 unit 0 family ethernet-switching vlan members 10

set interfaces ge-0/0/2 description "Inter_Switch_Trunk_to_Core"
set interfaces ge-0/0/2 unit 0 family ethernet-switching interface-mode trunk
set interfaces ge-0/0/2 unit 0 family ethernet-switching vlan members [ 10 20 30 100 ]
set interfaces ge-0/0/2 unit 0 family ethernet-switching native-vlan-id 999 # Always change native VLAN

# Verification Commands
show interfaces ge-0/0/1
show interfaces ge-0/0/2
show vlans

Expected Output (Juniper - relevant sections):

# For ge-0/0/1 (Access Port)
Logical interface ge-0/0/1.0 (Index 61) (Hardware-Physical Interface ge-0/0/1)
    Flags: Up SNMP-Traps 0x40004000
    Link-level type: Ethernet, MTU: 1518, Speed: 1Gbps, Duplex: Full, Role: None, Port mode: Access
    VLAN-Tagging: Disabled, Tags: 1, Internal Tag: 10
    BPDU-Protection: No, BPDU-Timeout: 0, BPDU-Action: None

# For ge-0/0/2 (Trunk Port)
Logical interface ge-0/0/2.0 (Index 62) (Hardware-Physical Interface ge-0/0/2)
    Flags: Up SNMP-Traps 0x40004000
    Link-level type: Ethernet, MTU: 1518, Speed: 1Gbps, Duplex: Full, Role: None, Port mode: Trunk
    VLAN-Tagging: Disabled, Tags: 4, Internal Tags: 10,20,30,100
    Native-VLAN-ID: 999
    BPDU-Protection: No, BPDU-Timeout: 0, BPDU-Action: None

10.3.2 Countermeasures for Double Tagging

The primary defense against double tagging attacks is to isolate the native VLAN.

Best Practice:

Change the native VLAN ID: Configure the native VLAN ID on trunk ports to an unused VLAN ID that is not assigned to any hosts or devices. By default, it’s often VLAN 1, which is commonly used, making it a prime target.
Prune unused VLANs: Ensure that the native VLAN is pruned from all trunk links where it’s not strictly needed.
Disable/Avoid VLAN 1: Where possible, avoid using VLAN 1 for any user or management traffic.

10.3.2.1 Cisco IOS/IOS-XE/NX-OS

! Cisco Catalyst 9300 (IOS-XE) - Global configuration for interfaces
!
! **WARNING:** Changing the native VLAN on active trunks must be coordinated
! across all interconnected switches to avoid native VLAN mismatches,
! which can cause traffic disruption.
!
! Example: Securing a Trunk Port against Double Tagging
interface GigabitEthernet1/0/2
  description Inter_Switch_Trunk_to_Core
  switchport mode trunk
  switchport trunk allowed vlan 10,20,30,100 ! Only allow necessary VLANs
  switchport trunk native vlan 999           ! Assign an unused VLAN as native
  switchport nonegotiate
  no shutdown
exit

! Example: Securing Access Ports
! Access ports should be configured with a specific VLAN.
! The native VLAN concept doesn't directly apply to access ports in the same way,
! but ensuring they are not part of any "default" or "native" VLAN used on trunks
! is good practice.
interface GigabitEthernet1/0/3
  description Secure_Access_Port_VLAN_20
  switchport mode access
  switchport access vlan 20
  switchport nonegotiate
  spanning-tree portfast
  spanning-tree bpduguard enable
  no shutdown
exit

! Verification Commands
show interfaces GigabitEthernet1/0/2 switchport
show interfaces GigabitEthernet1/0/2 trunk

Expected Output (Cisco - relevant sections):

! For GigabitEthernet1/0/2 (Trunk Port)
Trunking Native Mode VLAN: 999 (VLAN0999)  <-- Confirmed

10.3.2.2 Juniper Junos OS

# Juniper EX4600 (Junos OS) - Global configuration for interfaces
#
# **WARNING:** Changing the native VLAN on active trunks must be coordinated
# across all interconnected switches to avoid native VLAN mismatches,
# which can cause traffic disruption.
#
set interfaces ge-0/0/2 description "Inter_Switch_Trunk_to_Core"
set interfaces ge-0/0/2 unit 0 family ethernet-switching interface-mode trunk
set interfaces ge-0/0/2 unit 0 family ethernet-switching vlan members [ 10 20 30 100 ]
set interfaces ge-0/0/2 unit 0 family ethernet-switching native-vlan-id 999 # Assign an unused VLAN as native

# Example: Securing Access Ports
set interfaces ge-0/0/3 description "Secure_Access_Port_VLAN_20"
set interfaces ge-0/0/3 unit 0 family ethernet-switching interface-mode access
set interfaces ge-0/0/3 unit 0 family ethernet-switching vlan members 20

# Verification Commands
show interfaces ge-0/0/2
show vlans

Expected Output (Juniper - relevant sections):

# For ge-0/0/2 (Trunk Port)
Native-VLAN-ID: 999  <-- Confirmed

10.4 Network Diagrams

10.4.1 General Vulnerable Network Topology

This diagram illustrates a common network setup where VLAN hopping could occur if proper countermeasures are not in place.

nwdiag {
  network Internal_VLAN_10 {
    address = "10.0.10.0/24"
    Attacker_PC [address = "10.0.10.10", color = "red"];
    Access_SW [address = "10.0.10.1"];
  }

  network Internal_VLAN_20 {
    address = "10.0.20.0/24"
    Target_Server [address = "10.0.20.20", color = "blue"];
    Core_SW [address = "10.0.20.1"];
  }

  network Management_VLAN_90 {
    address = "10.0.90.0/24"
    Management_Workstation [address = "10.0.90.5"];
    Core_SW [address = "10.0.90.1"];
  }

  network Inter_Switch_Trunk {
    Access_SW;
    Core_SW;
  }

  Attacker_PC -- Access_SW [label = "Access Port (VLAN 10)"];
  Access_SW -- Core_SW [label = "Trunk Link (VLANs 10,20,90)"];
  Core_SW -- Target_Server [label = "Access Port (VLAN 20)"];
  Core_SW -- Management_Workstation [label = "Access Port (VLAN 90)"];
}

10.4.2 Attack Flow: Switch Spoofing

digraph switch_spoofing_attack {
  rankdir=LR;
  node [shape=box, style="filled,rounded", fillcolor="#F0F4FF", fontname="Arial", fontsize=11];
  edge [color="#555555", arrowsize=0.8];

  subgraph cluster_attacker {
    label = "Attacker's Environment";
    color = blue;
    Attacker_Host [label="Attacker's PC\n(Yersinia/Spoofing Tool)"];
  }

  subgraph cluster_vulnerable_switch {
    label = "Vulnerable Access Switch";
    color = red;
    Vulnerable_Port [label="Port (Dynamic Auto/Desirable)"];
    Internal_Trunk [label="Internal Trunk"];
  }

  subgraph cluster_target_vlan {
    label = "Target VLAN (VLAN 20)";
    color = green;
    Target_Server [label="Sensitive Server"];
  }

  Attacker_Host -> Vulnerable_Port [label="1. Send DTP frames (Spoofing Switch)"];
  Vulnerable_Port -> Internal_Trunk [label="2. Trunk link established"];
  Internal_Trunk -> Target_Server [label="3. Attacker accesses VLAN 20 traffic"];

  Vulnerable_Port [shape=oval];
  Internal_Trunk [shape=triangle];
}

10.4.3 Secure Network Architecture

This diagram shows a network with VLAN hopping countermeasures applied.

@startuml
!theme mars

' Define all elements first
cloud "Internet" as INTERNET
rectangle "Edge Router" as R1
rectangle "Core Switch (Juniper)" as J_SW1
rectangle "Access Switch (Cisco)" as C_SW1
rectangle "DMZ Server (VLAN 50)" as DMZ_SERVER
rectangle "Corporate Workstation (VLAN 10)" as CORP_PC
rectangle "Guest Wi-Fi (VLAN 20)" as GUEST_AP
rectangle "Management Server (VLAN 999)" as MGMT_SERVER

' Connect them
INTERNET [label="> R1 : "WAN Link"
R1"] J_SW1 : "L3 Link"

J_SW1 -- C_SW1 : "Secured Trunk Link"
J_SW1 -- DMZ_SERVER : "Access Port (VLAN 50)"
J_SW1 -- MGMT_SERVER : "Access Port (VLAN 999)"

C_SW1 -- CORP_PC : "Access Port (VLAN 10)"
C_SW1 -- GUEST_AP : "Access Port (VLAN 20)"

note left of C_SW1
Access Ports:
- switchport mode access
- switchport nonegotiate
- spanning-tree bpduguard enable
Trunk Port (to J_SW1):
- switchport mode trunk
- switchport trunk native vlan 999
- switchport nonegotiate
- only allowed VLANs
end note

note right of J_SW1
Access Ports:
- interface-mode access
- vlan members X
Trunk Port (to C_SW1):
- interface-mode trunk
- native-vlan-id 999
- only allowed VLANs
end note

@enduml

10.5 Automation Examples

Automating the configuration of VLAN security best practices ensures consistency and reduces human error, especially in large-scale deployments.

10.5.1 Ansible Playbook for VLAN Security Hardening

This Ansible playbook demonstrates how to apply switch spoofing and double tagging countermeasures on Cisco IOS/IOS-XE devices. Similar playbooks can be crafted for Junos using juniper.device modules.

# Ansible Playbook: vlan_security_hardening.yaml
---
- name: Apply VLAN Security Hardening to Cisco Switches
  hosts: cisco_switches
  gather_facts: no
  connection: network_cli
  vars:
    native_vlan_id: 999
    allowed_trunk_vlans: "10,20,30,50,999" # Example allowed VLANs for trunks

  tasks:
    - name: Ensure target native VLAN exists (optional, create if not)
      cisco.ios.ios_vlans:
        state: present
        vlans:
          - vlan_id: ""
            name: "NATIVE_VLAN_UNUSED"
      when: native_vlan_id | int > 1 # Don't try to create VLAN 1 if it's the native

    - name: Configure Access Ports for Security
      cisco.ios.ios_interfaces:
        config:
          - name: ""
            description: ""
            mode: access
            access_vlan: ""
            negotiation: "off" # switchport nonegotiate
            trunking:
              native_vlan: "" # Setting for explicit safety, though not directly applicable to access mode
              encapsulation: "dot1q"
        state: merged
      loop:
        - { interface: "GigabitEthernet1/0/1", vlan: 10, description: "User VLAN 10 Access" }
        - { interface: "GigabitEthernet1/0/2", vlan: 20, description: "Guest VLAN 20 Access" }
        # Add more access ports as needed
      when: ansible_network_os == 'ios' or ansible_network_os == 'iosxr' # Adapt for NX-OS if needed

    - name: Configure Trunk Ports for Security
      cisco.ios.ios_interfaces:
        config:
          - name: ""
            description: ""
            mode: trunk
            negotiation: "off" # switchport nonegotiate
            trunking:
              native_vlan: "" # Set unused native VLAN
              allowed_vlans: "" # Restrict allowed VLANs
              encapsulation: "dot1q"
        state: merged
      loop:
        - { interface: "GigabitEthernet1/0/24", description: "Uplink to Core" }
        - { interface: "GigabitEthernet1/0/23", description: "Link to Other Switch" }
        # Add more trunk ports as needed
      when: ansible_network_os == 'ios' or ansible_network_os == 'iosxr'

    - name: Enable Spanning-Tree PortFast and BPDU Guard on Access Ports
      cisco.ios.ios_l2_interfaces:
        config:
          - name: ""
            port_security:
              state: present
            spanning_tree:
              portfast: true
              bpduguard: true
        state: merged
      loop:
        - { interface: "GigabitEthernet1/0/1" }
        - { interface: "GigabitEthernet1/0/2" }
        # Add more access ports as needed
      when: ansible_network_os == 'ios' or ansible_network_os == 'iosxr'

Inventory File Example (inventory.ini):

[cisco_switches]
switch1.example.com ansible_host=192.168.1.1
switch2.example.com ansible_host=192.168.1.2

[cisco_switches:vars]
ansible_user=admin
ansible_password=cisco
ansible_network_os=ios
ansible_become=yes
ansible_become_method=enable
ansible_become_password=cisco

Running the Playbook: ansible-playbook -i inventory.ini vlan_security_hardening.yaml

10.6 Security Considerations

VLAN hopping is a serious threat because it directly undermines the fundamental security principle of network segmentation. When an attacker successfully hops VLANs, they can:

Access Restricted Data: Gain access to sensitive servers, databases, or user segments that should be isolated.
Launch Further Attacks: Use the newly accessed VLAN as a launchpad for other attacks (e.g., reconnaissance, privilege escalation, denial-of-service) against internal systems.
Evade IDS/IPS: Bypass security controls that are configured to monitor specific VLANs, as the attack traffic originates from an unexpected segment.
Compliance Violations: Lead to severe compliance penalties if regulated data (e.g., PCI DSS, HIPAA) is exposed due to inadequate segmentation.

10.6.1 Mitigation Strategies (Consolidated)

Disable DTP on all End-User Ports: Always configure end-user access ports as switchport mode access (Cisco) or interface-mode access (Juniper) and switchport nonegotiate (Cisco). This is the most critical step against switch spoofing.
Explicitly Configure Trunk Links: Always configure inter-switch links as switchport mode trunk (Cisco) or interface-mode trunk (Juniper) and switchport nonegotiate (Cisco). Never rely on dynamic negotiation.
Change the Native VLAN: On all 802.1Q trunk links, change the native VLAN to an unused VLAN ID (e.g., vlan 999) that is not assigned to any users or devices. Ensure this native VLAN is pruned from all trunk ports unless explicitly required. Coordinate this across all interconnected switches to avoid mismatches.
Prune Unused VLANs from Trunks: Restrict the allowed VLANs on trunk links to only those absolutely necessary using switchport trunk allowed vlan (Cisco) or vlan members (Juniper). This limits the attacker’s reach even if they achieve trunk status.
Avoid Using VLAN 1: VLAN 1 is the default native VLAN and often carries management traffic. It is best practice to avoid using VLAN 1 for any user or management data.
Implement Port Security: On access ports, configure port security (e.g., sticky MAC addresses, maximum MAC addresses) to limit the number of devices or specific MAC addresses allowed, preventing unauthorized devices from connecting.
Enable Spanning Tree Protocol (STP) Security Features:
- BPDU Guard: Enable spanning-tree bpduguard enable on all access ports. This immediately err-disables a port if it receives a Bridge Protocol Data Unit (BPDU), preventing rogue switches from being introduced or DTP spoofing attacks that send BPDUs.
- Root Guard: Implement spanning-tree rootguard enable on trunk ports connecting to untrusted switches to prevent unauthorized devices from becoming the root bridge.
Implement Private VLANs (PVLANs): For advanced segmentation, PVLANs can isolate ports within the same VLAN, preventing communication between devices on those ports even if they are in the same broadcast domain. This adds an extra layer of protection, particularly in environments with multiple tenants or untrusted devices.
Network Access Control (NAC): Use NAC solutions (e.g., Cisco ISE, Aruba ClearPass) to authenticate devices and users before granting network access, dynamically assigning them to appropriate VLANs and enforcing policies.

10.7 Verification & Troubleshooting

After implementing countermeasures, thorough verification is essential.

10.7.1 Verification Commands

Cisco

# Verify port mode and DTP negotiation
show interfaces [interface-id] switchport

# Verify trunk allowed VLANs and native VLAN
show interfaces [interface-id] trunk

# Verify DTP status globally
show dtp interface [interface-id]

# Verify Spanning-tree PortFast and BPDU Guard
show spanning-tree interface [interface-id] detail

Expected Output for a Secure Access Port (Cisco):

Name: Gi1/0/1
Switchport: Enabled
Administrative Mode: static access
Operational Mode: static access
Administrative Trunking Encapsulation: dot1q
Operational Trunking Encapsulation: dot1q
Negotiation of Trunking: Off                  <-- CRITICAL: Must be Off
Access Mode VLAN: 10 (VLAN0010)
Trunking Native Mode VLAN: 999 (VLAN0999)    <-- CRITICAL: Changed from default
Administrative Native VLAN tagging: enabled
Operational Native VLAN tagging: enabled
Voice VLAN: none
...
Link type: auto
PortFast: Enabled
BpduGuard: Enabled                          <-- CRITICAL: Must be Enabled

Juniper

# Verify interface configuration (mode, native VLAN, allowed VLANs)
show configuration interfaces [interface-id]

# Verify operational status of interface and VLANs
show interfaces [interface-id] detail
show vlans

Expected Output for a Secure Trunk Port (Juniper):

Logical interface ge-0/0/2.0 (Index 62) (Hardware-Physical Interface ge-0/0/2)
    Flags: Up SNMP-Traps 0x40004000
    Link-level type: Ethernet, MTU: 1518, Speed: 1Gbps, Duplex: Full, Role: None, Port mode: Trunk
    VLAN-Tagging: Disabled, Tags: 4, Internal Tags: 10,20,30,999
    Native-VLAN-ID: 999                                   <-- CRITICAL: Changed from default
    BPDU-Protection: No, BPDU-Timeout: 0, BPDU-Action: None

10.7.2 Common Issues & Resolution

Issue	Symptoms	Debug Commands (Cisco)	Resolution Steps
Native VLAN Mismatch	Trunk links flap, traffic loss for native VLAN, warning messages on console.	`show interfaces trunk`	Ensure `switchport trunk native vlan X` (Cisco) or `native-vlan-id X` (Juniper) is consistent on both ends of the trunk.
DTP Still Active (Cisco)	Port unexpectedly forms a trunk, `Negotiation of Trunking: On`.	`show interfaces [id] switchport`	Ensure `switchport mode access` and `switchport nonegotiate` (for trunks) are configured.
BPDU Guard Err-Disabled	Access port goes down, LED turns off, `err-disabled` status.	`show interfaces status err-disabled`	Identify rogue device, remove it, and `shutdown`/`no shutdown` the interface to recover. Investigate the cause.
VLAN Pruning Too Aggressive	Devices in an allowed VLAN cannot communicate across a trunk.	`show interfaces trunk`	Verify `switchport trunk allowed vlan` (Cisco) or `vlan members` (Juniper) includes all necessary VLANs.
Double Tagging Still Possible	(Difficult to detect directly) Suspected unauthorized traffic.	`show interfaces trunk native vlan` (Cisco), `show vlans` (Juniper)	Ensure the native VLAN is an unused ID and is pruned. Avoid VLAN 1.

Root Cause Analysis: When troubleshooting, always verify the physical layer first. Then, systematically check Layer 2 configurations:

Interface Mode: Is it access or trunk? Is DTP disabled?
VLAN Assignment: Is the correct VLAN assigned to the access port? Are the correct VLANs allowed on the trunk?
Native VLAN: Is the native VLAN consistent and a non-critical ID on all trunks?
Security Features: Are BPDU Guard, PortFast, and other features configured as intended?
Logging: Check switch logs for error messages related to DTP, STP, or port security violations.

10.8 Performance Optimization

While security is the primary focus of this chapter, some countermeasures can also indirectly contribute to performance optimization:

VLAN Pruning: By restricting allowed VLANs on trunks, you prevent unnecessary broadcast, unknown unicast, and multicast traffic for VLANs that don’t have active members on a particular switch. This reduces congestion on trunk links and improves overall network efficiency. VLAN pruning is a critical component of security as well, limiting the attack surface of VLAN hopping.
Reduced Broadcast Domains: The fundamental benefit of VLANs is reducing broadcast traffic. By preventing VLAN hopping, you ensure these smaller broadcast domains remain isolated, maintaining efficiency.
Efficient STP Operation: Properly configured STP security features like BPDU Guard and Root Guard prevent network loops caused by rogue devices, which can severely degrade performance.

Monitoring Recommendations:

SNMP Monitoring: Monitor interface status, traffic statistics, and error-disabled port counts.
Syslog Alerts: Configure switches to send syslog messages for DTP negotiations (if still enabled on some ports), BPDU Guard violations, port security violations, and native VLAN mismatch warnings.
NetFlow/IPFIX: For deeper traffic visibility to detect anomalous traffic patterns that might indicate a successful VLAN hopping attempt.

10.9 Hands-On Lab

This lab simulates a basic vulnerable setup and then walks you through applying the recommended countermeasures.

10.9.1 Lab Topology

nwdiag {
  network VLAN_10_Attacker {
    address = "10.0.10.0/24"
    Attacker_PC [address = "10.0.10.10", color = "red"];
    Access_Switch [address = "10.0.10.1"];
  }

  network VLAN_20_Target {
    address = "10.0.20.0/24"
    Target_Server [address = "10.0.20.20", color = "blue"];
    Core_Switch [address = "10.0.20.1"];
  }

  network Inter_Switch_Link {
    Access_Switch;
    Core_Switch;
  }

  Attacker_PC -- Access_Switch [label = "Access Port Gi1/0/1"];
  Access_Switch -- Core_Switch [label = "Trunk Link Gi1/0/24"];
  Core_Switch -- Target_Server [label = "Access Port Gi1/0/1"];
}

Lab Components:

Two Cisco Catalyst/IOS-XE virtual switches (or physical).
One Attacker PC (e.g., Kali Linux VM) connected to Access_Switch Gi1/0/1.
One Target Server (e.g., Ubuntu Server VM) connected to Core_Switch Gi1/0/1.
IP Addresses:
- Attacker PC: 10.0.10.10/24, Gateway 10.0.10.1 (Access_Switch SVI for VLAN 10)
- Target Server: 10.0.20.20/24, Gateway 10.0.20.1 (Core_Switch SVI for VLAN 20)

10.9.2 Objectives

Configure the initial vulnerable network.
Demonstrate a VLAN hopping attack (e.g., using Yersinia on Attacker PC).
Apply countermeasures for switch spoofing.
Apply countermeasures for double tagging.
Verify the effectiveness of the countermeasures.

10.9.3 Step-by-Step Configuration (Cisco)

Initial Vulnerable Setup:

! On Access_Switch
hostname Access_Switch
!
vlan 10
 name ATTACKER_VLAN
vlan 20
 name TARGET_VLAN
!
interface GigabitEthernet1/0/1
  description Attacker_PC_Vulnerable_Port
  switchport mode dynamic auto  ! VULNERABLE TO SWITCH SPOOFING
  switchport access vlan 10
  no shutdown
!
interface GigabitEthernet1/0/24
  description Uplink_to_Core_Trunk
  switchport mode dynamic desirable ! VULNERABLE TO DTP NEGOTIATION
  switchport trunk encapsulation dot1q
  no shutdown
!
interface Vlan10
  ip address 10.0.10.1 255.255.255.0
  no shutdown
!
ip routing
end

! On Core_Switch
hostname Core_Switch
!
vlan 10
 name ATTACKER_VLAN
vlan 20
 name TARGET_VLAN
!
interface GigabitEthernet1/0/1
  description Target_Server_Port
  switchport mode access
  switchport access vlan 20
  no shutdown
!
interface GigabitEthernet1/0/24
  description Downlink_to_Access_Trunk
  switchport mode dynamic auto ! VULNERABLE TO DTP NEGOTIATION
  switchport trunk encapsulation dot1q
  no shutdown
!
interface Vlan20
  ip address 10.0.20.1 255.255.255.0
  no shutdown
!
ip routing
end

Pre-Attack Verification:

From Attacker PC, ping 10.0.10.1 (Access_Switch SVI) - Should work.
From Attacker PC, ping 10.0.20.20 (Target Server) - Should fail (due to VLAN isolation).

Perform Switch Spoofing Attack:

On Attacker PC (Kali Linux), install Yersinia (apt-get install yersinia).
Run Yersinia in GTK mode: yersinia -G.
Go to the DTP tab. Select your network interface.
Click “Launch Attack” -> “DTP” -> “Enable Trunking”.
Observe the console of Access_Switch. You should see log messages indicating a trunk forming with the attacker’s MAC address.
Now, on Attacker PC, configure a sub-interface for VLAN 20 (e.g., ip link add link eth0 name eth0.20 type vlan id 20; ip addr add 10.0.20.x/24 dev eth0.20; ip link set dev eth0.20 up).
Ping 10.0.20.20 from Attacker PC. It should now work, demonstrating successful VLAN hopping.

Apply Countermeasures:

! On Access_Switch
configure terminal
interface GigabitEthernet1/0/1
  description Attacker_PC_Secured_Access_Port
  switchport mode access               ! Countermeasure: Force access mode
  switchport access vlan 10
  switchport nonegotiate              ! Countermeasure: Disable DTP explicitly
  spanning-tree portfast              ! Countermeasure: Speed up port transition
  spanning-tree bpduguard enable      ! Countermeasure: Prevent rogue BPDUs
  no shutdown
!
interface GigabitEthernet1/0/24
  description Secured_Uplink_to_Core_Trunk
  switchport mode trunk               ! Countermeasure: Force trunk mode
  switchport trunk encapsulation dot1q
  switchport trunk allowed vlan 10,20 ! Countermeasure: Prune unused VLANs
  switchport trunk native vlan 999    ! Countermeasure: Change native VLAN
  switchport nonegotiate              ! Countermeasure: Disable DTP explicitly
  no shutdown
exit
!
vlan 999
 name UNUSED_NATIVE_VLAN
exit
end

! On Core_Switch (synchronize trunk settings)
configure terminal
interface GigabitEthernet1/0/24
  description Secured_Downlink_to_Access_Trunk
  switchport mode trunk               ! Countermeasure: Force trunk mode
  switchport trunk encapsulation dot1q
  switchport trunk allowed vlan 10,20 ! Countermeasure: Prune unused VLANs
  switchport trunk native vlan 999    ! Countermeasure: Change native VLAN
  switchport nonegotiate              ! Countermeasure: Disable DTP explicitly
  no shutdown
exit
!
vlan 999
 name UNUSED_NATIVE_VLAN
exit
end

10.9.4 Verification Steps (Post-Countermeasures)

Stop Yersinia attack on Attacker PC. Remove the configured sub-interface (ip link delete eth0.20).
Verify trunk status on Access_Switch Gi1/0/1 and Gi1/0/24, and Core_Switch Gi1/0/24 using show interfaces [id] switchport.
- Negotiation of Trunking should be Off.
- Native VLAN should be 999.
- Access ports should be static access.
Attempt Switch Spoofing Attack again from Attacker PC.
- Yersinia should fail to establish a trunk.
- Access_Switch Gi1/0/1 might go into err-disabled state if BPDU Guard is triggered (this is good!).
Attempt Double Tagging: From Attacker PC, craft a double-tagged frame (e.g., using scapy in Python). Outer tag to Attacker VLAN (10), Inner tag to Target VLAN (20).
- The packet should not reach the Target Server.
Test legitimate connectivity: From Attacker PC, ping 10.0.10.1. From Target Server, ping 10.0.20.1. Pings between VLANs should still require routing.

10.9.5 Challenge Exercises

Configure port security on Access_Switch Gi1/0/1 to allow only one MAC address. Test what happens when a second MAC address attempts to connect.
Modify the lab to use Juniper switches. Implement the same countermeasures using Junos OS commands.
Write an Ansible playbook to configure Access_Switch and Core_Switch with the secure settings.

10.10 Best Practices Checklist

Disable DTP on all access ports (switchport mode access + switchport nonegotiate).
Disable DTP on all trunk ports (switchport mode trunk + switchport nonegotiate).
Change the Native VLAN on all trunk ports to an unused VLAN ID (e.g., vlan 999).
Prune Unused VLANs from all trunk links (switchport trunk allowed vlan).
Avoid using VLAN 1 for any user or management traffic.
Enable BPDU Guard on all access ports.
Enable PortFast on all access ports.
Implement Port Security on access ports to control connected devices.
Regularly Audit VLAN configurations for compliance and vulnerabilities.
Use Network Access Control (NAC) for dynamic VLAN assignment and policy enforcement.
Document your VLAN design, native VLAN assignments, and security configurations.
Automate VLAN security configurations to ensure consistency and scalability.

10.11 Reference Links

IEEE 802.1Q-2022 - Standard for Local and Metropolitan Area Networks–Bridges and Bridged Networks: Virtual Bridged Local Area Networks. (Consult latest IEEE standard)
Cisco Documentation:
- Configuring Trunking: https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst9300/software/release/17_6/configuration_guide/lac_lan/b_176_lac_lan_9300_cg/configuring_vlan_trunking.html (Example for Catalyst 9300, search for your specific platform)
- Configuring STP PortFast, BPDU Guard, BPDU Filter, and Root Guard: https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst9300/software/release/17_6/configuration_guide/lac_lan/b_176_lac_lan_9300_cg/configuring_stp.html
Juniper Documentation:
- Configuring VLANs for Ethernet Interfaces (Junos OS): https://www.juniper.net/documentation/us/en/software/junos/junos-qfx-series/topics/task/interfaces-ethernet-vlans-qfx.html (Search for your specific platform)
Community Resources:
- Zenarmor: A Comprehensive Guide to VLAN Hopping Attacks: https://www.zenarmor.com/docs/network-security-tutorials/what-is-vlan-hopping
- Imperva: What is VLAN Hopping | Risks, Attacks & Prevention: https://www.imperva.com/learn/availability/vlan-hopping/
Tools and Utilities:
- Yersinia: Network attack tool for various Layer 2 protocols (including DTP).

10.12 What’s Next

This chapter has equipped you with a deep understanding of VLAN hopping attacks and the essential strategies to defend against them, solidifying your network’s foundational security. We explored the technical nuances of switch spoofing and double tagging, implemented multi-vendor configurations, and highlighted the role of automation in maintaining a secure network posture.

In the next chapter, we will expand our focus beyond Layer 2 segmentation. We will delve into Chapter 11: Inter-VLAN Routing and Layer 3 Segmentation, where you will learn how to enable communication between different VLANs securely, implement access control lists (ACLs) for granular traffic filtering, and explore advanced routing techniques that enhance both connectivity and security across your segmented network.