Tags:802.1Q DTP Layer2 Layer3 Security switch-spoofing vlan VLAN-Hopping
VLAN Hopping is a Layer 2 security exploit by which a malicous user connected to a switchport on a Switch assigned to a VLAN can hop on and gain access to another VLAN which otherwise is not accessible. This security exploit allows the malicous hacker to bypass the IP Securities implemented at Layer 3.
There are 2 ways that a malicious hacker can conduct a VLAN hopping hack on a network.
1. Switch Spoofing
Switch Spoofing is a method by which the host with the capability of emulating tagging and trunking protocols connected to a switchport with Auto-Trunking capabilities turns the port into a Trunk and thereby havng a complete visibility and access to all the traffic to all the VLANS in the network. In Cisco Switches, the "Dynamic Trunking Protocol" provides the auto-trunking capabilities and most if not all has it enabled by default.
To prevent such attacks, the solution obviously is to disable Auto-Trunking on all ports except the ones which actually trunk other switches. This especially, is very important on all access switches in a network. In cisco, disable the "Dynamic Trunking Protocol". Click here for the procedure
2. Double Tagging
Double Tagging or Double 802.1q encapsultaion is a method which takes advantage of the backward compatibility enabled into the 802.1Q protocol to support native VLANs. This allows the 802.1q trunk ports to talk to 802.3 ports directly to send & receive untagged traffic.
A mailicious hacker connected to a switchport generates a packet with two VLAN tags. The Outer VLAN tag is the tag for the Native VLAN of the trunk and the inner tag is the one of the target VLAN to which the hacker is trying to gain access to.
When a 802.1q trunk port on a switch whose native VLAN is the same as the VLAN on the outer tag gets the packet, it strips the outer tag and forwards the packet as untagged traffic. Now, the inner tag which has the VLAN tag of the target VLAN becomes the permanent identity of the packet and hence the hacker has hopped onto the target VLAN and has gained access to data on the VLAN thereby bypassing the layer 3 securities.