Security: VLAN attack and additional layer of network security

VLAN Security – organization of such VLAN usage when it is impossible to access unauthorized traffic transmitted in all VLANs except those to which access is allowed. It is considered that it is enough to isolate the traffic within a single VLAN and it becomes absolutely impossible to view it or, moreover, to modify it for other network members who do not have direct access to this VLAN. In fact, this is only partially true. There are a lot of different ways in case the switch is incorrectly configured to force it to direct the tagged traffic of many VLANs to the port instead of the traffic of one VLAN. This is only possible if the switch is configured incorrectly.


Most often, VLAN technology is used to connect computers connected to different physical routers to a single subnet (e.g. machines located in different offices). However, from an information security point of view, it also has many advantages. Not only does it protect a device on one subnet from unauthorized access from another, but it also makes it easier to manage security policies by allowing these policies to be applied to the entire subnet rather than to individual devices.

To make full use of the VLAN, you’ll need all kinds of professional networking equipment. However, some household routers, such as Keenetic, also support this technology.

Any packets transmitted between VLANs must pass through a router or other layer 3 devices. Security is one of many reasons why network administrators configure the VLAN. With an exploit known as “Hopping VLAN”, however, an attacker can bypass these security implementations.

VLAN Hopping

A DTP (Dynamic Trunking Protocol) packet is sent through the port to the attacker, indicating to the switch that the port is trunked (i.e. tagged VLAN traffic is transmitted through it). It is necessary that the port is configured accordingly. Not all frames will be processed.

This type of exploit allows an attacker to bypass any layer 2 restrictions created to separate nodes. If the switch port is configured correctly, the attacker will have to go through the router and any other Layer 3 devices to access his target. However, many networks either have poor VLAN implementations or have misconfigurations that allow attackers to perform the specified exploit. In this article I will discuss two major VLAN hop methods known as ‘double label’ spoofing. I will then talk about mitigation methods.

Switched Network

It is critical to understand how switches work if we want to find and exploit their vulnerabilities. We do not necessarily operate the device itself, but rather protocols and configurations that instruct how they work.

The switch has a port or configured as an access port or as a trunking port. The access port is usually used when a host is connected to a switch. With a VLAN implementation, each access port is assigned only one VLAN. The trunking port is used when two switches or a switch and a router are connected. Trunking ports allow you to use traffic from multiple VLANs. The trunking port can be configured manually or created dynamically using the dynamic trunk protocol (dtp).

DTP is a proprietary Cisco protocol where one usage must dynamically establish a trunk connection between two switches.

Switched Spoofing VLAN Attack

The attacker acts as a switch to trick a legitimate switch into creating a trunked link between them. As mentioned earlier, packets from any VLAN can pass through the backbone. Once the trunk link is established, the attacker then has access to traffic from any VLAN. This vulnerability is only successful if the allowable switch is configured for trunk matching. This happens when the interface is configured with either “dynamic desirable”, “dynamic auto” or “Trunk” mode. If the target switch has one of these configured modes, then an attacker can generate a DTP message from their computer and a trunk connection can be formed.

Double Tagging

Double marking occurs when an attacker adds and changes tags on an Ethernet frame to allow packets to be sent over any VLAN. This attack takes advantage of how many switches handle the tags. Most switches will only remove the external tag and forward the frame to all their own VLAN ports. With this in mind, this exploit is only successful if the attacker belongs to his own VLAN on the backbone. Another important point is that this attack is strictly one-way and does not encapsulate the packet.

VLAN Hopping Exploit


/></p><p>In this case, there is an attacker, a switch and a target server. The attacker connects to the FastEthernet switch 0/12 interface and the target server connects to the FastEthernet switch 0/11 interface and is part of VLAN 2. Take a look at the following topology.</p><p>As soon as you’re familiar with the topology, take a look at some of the configurations that are installed on the switch:</p><p>FastEthernet 0/11 interface</p><p>switchport access mode</p><p>switchport non-conegotiate mode</p><p>switchport access vlan 2</p><p>FastEthernet0/12 interface</p><p>switchport dynamic auto mode</p><p>I hope you see a configuration problem with the fa0 / 12 interface. This port is configured to receive incoming calls to determine whether it is an access port or a trunking port. This means that an attacker can perform an attack on the switch. After the attacker connects to the port, they can send a DTP message and a trunk connection will be established.</p><p>The attacker can use Yersinia to create and send a DTP message. Yersinia is a penetration testing platform designed to attack many protocols that are at level 2. It comes preinstalled with kali Linux and has an easy to use graphical user interface (GUI).</p><p><em><strong>Yersinia Homepage</strong></em> – <a href=/

To run Yersinia:


Here’s a quick look at the graphical interface:


/></p><p>Now sending a DTP message is as easy as the next 4 steps:</p><ol><li><em>click “Launch attack”</em></li><li><em>click the tab “DTP”</em></li><li><em>click “enable trunking”</em></li><li><em>click “ok”</em></li></ol><p> </p><p id=/></p><p>Yersinia will send a DTP message and within a few seconds, a trunking connection will be established. In our scenario, an attacker will have access to all traffic passing through VLAN 2 and can directly attack without passing through layer 3 devices.</p><p> </p><p id=/></p><p>Scenario 2 – Double Attack Markings</p><p>In this case there is an attacker, 2 switches and a target server. The attacker is connected to switch 1. Switch 1 is attached to switch 2 and finally, our target is attached to switch 2. Take a look at the following topology.</p><p> </p><p id=/></p><p>Once you are familiar with the topology, take a look at some of the configurations that are installed for switch 1.</p><p>FastEthernet0/12 interface</p><p>switchport access mode</p><p>switchport nonegotiate</p><p>switchport access vlan 1</p><p> </p><p>FastEthernet0/11 interface</p><p>boot of encapsulation dot1q switchport</p><p>switchport mode trunk</p><p>switchport nonegotiate</p><p>switchport trunk native vlan 1</p><p>From these configurations, we can see that an attacker would not be able to perform a switch spoofing attack. However, we can see that the attacker belongs to his own VLAN trunk port. This means that this topology is vulnerable to a double-tagged attack.</p><p>The attacker can use Scapy to create specially created frames to handle this attack. Scapy is a Python program designed to work with packages.</p><p>Scapy Homepage – <a href=//

Scapy Documentation – //

Start Scapy:

sudo ./scapy

Using sendp() function to create a package:

>>sendp(Ether()/Dot1Q(vlan=1)/Dot1Q(vlan=2)/IP(dst='<destination IP’, src='<source IP>’)/ICMP())

This will create a double 802.1 q encapsulated packet for the target on VLAN 2. Take a look at the following topology to see how the switches are managing this frame.


/></p><p>.<br/>You can see in the figure that switch 1 only reads and deletes the external tag. This checks that the host is part of the declared VLAN and forwards the packet to all its own VLAN ports (VLAN 1). Switch 2 then receives the packet with only one left header. This assumes that the frame belongs to the declared VLAN on this tag (VLAN 2) and forward to all ports configured for VLAN 2. The target receives the packet sent by the attacker.</p><p>VLAN = HOPPED.</p><h2>Segmentation of the local network</h2><p>.<br/>One of the most effective ways to protect business units handling critical information from the risk of infection is to break down the corporate network into several autonomous subnets. Segmentation can isolate individual computers or groups of computers from other devices.</p><p>In a good way, all potentially dangerous departments would need to be physically isolated. In other words, you should install several routers and use them to divide the corporate network into several separate subnets. However, here we face serious drawbacks: firstly, additional equipment means additional costs, and secondly, making changes to the already built network infrastructure is always a pain for system administrators.</p><p>An alternative and simpler option is to use virtual VLANs. That is, without changing the equipment, to organize on the basis of one physical network several logical. They are configured programmatically, which means there is no need to change even the cable layout.</p><h2>No segmentation of one…</h2><p>Of course, using VLANs is not a panacea. So you just minimize the chances of infecting critical hosts. The “risk zone” itself does not protect it in any way. Therefore, for fidelity will not be superfluous:</p><ul></li><p>Enhance your staff’s security awareness and regularly remind them to be careful when handling suspicious emails.</p><li>Regularly update software on workstations, network and other devices so that attackers cannot penetrate your infrastructure through long-known vulnerabilities.</li><p>Utilize robust security solutions for workstations and servers that detect and disinfect malware and resources.</ul><h2 id=How is it protected?

To prevent a spoofing attack, you need to perform a few steps:

  • Do not configure access points with any of the following modes: “preferably dynamic”, “dynamic automatic” or “trunk”.
  • Set access ports manually and disable DTP on all access ports.
  • switchport access mode
  • switchport non-contact mode
  • Manualize all trunk ports and disable DTP on all trunk ports.
  • switchport mode trunk
  • switchport non-contact mode
  • Disable all interfaces that are not currently in use.


To prevent double tagging attacks, keep your own VLAN on all trunk ports other than the custom VLAN. Switches were not designed to be secure. However, it is important to use security measures at all levels. If it takes time to segment the network, make sure it is done correctly and securely. Be careful when setting up your network.



Source: // and // and //


0 0 vote
Article Rating
Notify of
Inline Feedbacks
View all comments

Do NOT follow this link or you will be banned from the site!
Would love your thoughts, please comment.x

Spelling error report

The following text will be sent to our editors: