VLAN hopping is a network attack whereby an end system sends out packets destined for a system on a different VLAN that cannot normally be reached by the end system. Typically, for a device to reach another device in a different VLAN, a Layer 3 device such as a router or Layer 3-aware switch is required. The attacker manipulates the frame and sends the traffic based on a different VLAN ID. The attacker may even attempt to be a trunk port and send 802.1q frames with data inside those frames.
Switch spoofing is a common technique whereby the attacker emulates a trunk port by using InterSwitch Link (ISL) or 802.1q frames. By using this method, the attacker can become a member of any VLAN configured in the VLAN Trunking Protocol (VTP) domain.
To mitigate this form of attack, it is highly recommended to turn off trunking on all ports that will not be enabled for Cisco ISL or the IEEE 802.1q trunking methods.
Attackers may even use a double tagging mechanism whereby the initial frame is tagged with two 802.1q frames so that when the first switch removes the header, the end device is still presented with a frame with an 802.1q header, as Figure 3-8 demonstrates.
Figure 3-8 Double Tagging 802.1q Method
802.1q, FRAME. CRC
First 802.1q tag removed.
Figure 3-8 shows the method of double tagging whereby the transmitted frames have two 802.1q (or ISL) headers in order to forward the frames to the wrong VLAN. The first switch to encounter the double-tagged frame (1) strips the first tag off the frame and forwards the frame. The result is that the frame is forwarded with the inner 802.1q tag out all the switch ports (2) including trunk ports configured with the native VLAN of the network attacker. The second switch then forwards the packet to the destination based on the VLAN identifier in the second 802.1q header. This enables a device in one VLAN to communicate with a device in a separate VLAN. This is an extremely vulnerable situation for your network, because now your frames do not communicate to the legitimate Layer 3 device but rather to a rouge device where all sorts of sensitive data could be compromised.
To mitigate this potential issue, all non-trunking ports should be disabled (that is, trunking is disabled) and configured as access ports or interfaces that only permit devices such as PCs or Voice over IP (VoIP) phones.
Another common technique is to disable all ports not in use on the particular switch in question. Example 3-42 displays the Catalyst OS and IOS configurations that disable trunking.
Example 3-42 Disable Trunk Ports on Catalyst OS and IOS Switches
! Catalyst OS
CatOS>(enable) set trunk mod_num/port_num off
! IOS Based switches
IOS#(config-if)switchport mode access
Was this article helpful?