I have worked with several network professionals that spend a lot of time avoiding the risk of VLAN hopping. The purpose of this article is to examine the theory behind this attack method and discuss the possibility of using it in a modern enterprise network.
How does it work?
VLAN hopping is an attack in which a malicious actor sends malicious frames with two 802.1q tags, with the intention of compromising a system in another VLAN. In theory, this could circumvent layer 3 security mechanisms. A frame with a malicious payload can be encapsulated with a tag for the native VLAN, followed by a tag for the VLAN in which some protected system resides. The switch would remove the tag for the native VLAN and forward the frame.
The problem with this theory is that there are very specific requirements for this sort of attack to work. In order for VLAN hopping to be successful, the following requirements must be met.
- The native VLAN must be correct. This is not a major hurdle in environments where the native VLAN is “1”.
- The remote VLAN must be active on the trunk between switches. This means that the attacker has to either know about the VLANs being used on the network, or they have to be extremely lucky.
- The switchport must allow tagged frames. Most modern switches have the capability to drop tagged frames on access ports.
How to prevent VLAN hopping
- Set the port mode and disable negotiation. You should always specify whether an interface should be an access port or a trunk port. Cisco switches use Dynamic Trunking Protocol (DTP) as a mechanism to dynamically negotiate the mode on an interface. Dynamic negotiation might be useful in certain environments, but it is not very secure.
- Control VLAN tags. Do not use the default VLAN for access. Configure trunks to only allow the VLANs that are needed. Some manufactures, like Dell, provide a “general” mode that allows tagged frames from multiple VLANs. Always specify which VLANs should be allowed on these ports.
- Specify the native VLAN. It is always a good idea to create a VLAN that will be used as the native VLAN on the network. Using the default native VLAN makes it that much easier for malicious actors to guess. Just be sure to be consistent throughout the network, since the native VLAN is used for various features like unidirectional link detection (UDLD).