VLAN Hopping
VLANs, or virtual LANs, are Layer 2 subdivisions of the ports in a single switch. A VLAN
may also span multiple switches. By segregating devices into VLANs, access control lists
(ACLs) can be used in a router to control access between VLANs in the same way it is done
between real LANs. When VLANs span switches, the connection between the switches is
called a trunk link, and it carries the traffi c of multiple VLANs. Trunk links are also used
for the connection from the switch to the router.
A VLAN hopping attack results in traffi c from one VLAN being sent to the wrong
VLAN. Normally, this is prevented by the trunking protocol placing a VLAN tag in the
packet to identify the VLAN to which the traffi c belongs. The attacker can circumvent this
by a process called double tagging, which is placing a fake VLAN tag into the packet along
with the real tag. When the frame goes through multiple switches, the real tag is taken off
by the fi rst switch, leaving the fake tag. When the frame reaches the second switch, the fake
tag is read and the frame is sent to the VLAN to which the hacker intended the frame to go.
Another risk with VLANs is the possibility of a hacker crossing VLANs to access sensitive
data or to inject harmful software in an attack called VLAN hopping. A VLAN hopping
attack occurs when an attacker generates transmissions that appear, to the switch, to belong
to a protected VLAN. VLAN hopping can be prevented by disabling auto trunking and mov-
ing the native VLAN to an unused VLAN, meaning that untagged traffic would essentially
run into a dead-end.
It’s also important to keep an eye out for signs of incorrect VLAN assignment. This can hap-
pen due to a variety of situations, including misconfigurations of the client authentication pro-
cess in which a VLAN is assigned to the device before the authentication process is complete.
Another problematic scenario occurs when ports are incorrectly configured in trunk mode,
which is used between switches for trunking, instead of access mode, which is appropriate
for user devices.