NetworkUstad
  • Technology
  • CCNA
  • Networking
  • Cyber Security
  • BLOG
  • Contact
  • Technology
  • CCNA
  • Networking
  • Cyber Security
  • BLOG
  • Contact
CCNA, Cyber Security August 18, 2019 9 min read

What is VLAN Attacks – Brief Explanation

Asad Ijaz
Asad Ijaz Network Specialist

In the previous article, I explained how trunks work. By default, trunk ports can use all VLANs and pass traffic for multiple VLANs across the same physical link between switches. The VLAN simplifies network administration and maintenance.

Table of Contents

Toggle
  • Switch Spoofing VLAN Attacks
    • How to Protect Spoofing Attack
  • Double-Tagging VLAN Attacks
  • PVLAN Edge
    • Configuration of PVLAN
      • The host ports Configuration
      • The Resource and servers ports configuration
    • Verifying the Configuration
  • CAM Table Overflow/Media Access Control (MAC) Attack
  • Address Resolution Protocol (ARP) attack
  • VLAN Management Policy Server (VMPS)/ VLAN Query Protocol (VQP) attack
  • Cisco Discovery Protocol (CDP) Attack

It also improves the performance of the network, but it has some backhaul for hackers which is necessary to understand. So in this lesson, we will discuss VLAN attacks, backhaul and how can we protect VLANs from VLAN Attacks.

Switch Spoofing VLAN Attacks

Switch spoofing is VLAN attack, taking advantage of an incorrectly configured trunk port. VLAN hopping enables traffic from one VLAN to be seen by another VLAN.

The attacker tack advantage of the default switchport mode which is dynamic auto. They configure a system to spoof itself as a switch. The attacker tricks a switch into thinking that another switch is attempting to form a trunk, thus an attacker gets access to all the VLANs allowed on the trunk port. The figure below illustrates the switch spoofing/VLAN hopping attack.

How to Protect Spoofing Attack

We can avoid a switch spoofing attack by turning off trunking on all ports, except the ones that specifically require trunking. It is also necessary to disable DTP, and manually enable trunking.

Following are the steps for protecting a switch from a spoofing attacks. Configure all switches in the network like below. Configure all access ports as an access port and disable DTP everywhere.

Switch1#configure terminal
Switch1(config)#interface range fastethernet 0/0 – 20
Switch1(config-if-range)#switchport mode access
Switch1(config-if-range)#switchport nonegotiate
Switch1(config-if-range)#exit
Switch1(config)#exit
Switch1#

Configure all the trunk ports as a trunk port and disable DTP on trunk ports.
Switch1#configure terminal
Switch1(config)#interface range gigabitethernet 0/20 – 23
Switch1(config-if-range)#switchport mode trunk
Switch1(config-if-range)#switchport nonegotiate
Switch1(config-if-range)#exit
Switch1(config)#exit
Switch1#

Double-Tagging VLAN Attacks

The double-tagging VLAN attacks are also known as double-encapsulated VLAN hopping attacks. In this type of attack, the attacker takes advantage of the hardware way of operation.

The Double tagging attack is only possible if the attacker has physical connectivity to an interface that belongs to the native VLAN of the trunk port. A double tagging attack is a uni-directional attack. Thwarting this type of attack is not as easy as stopping basic hopping VLAN attacks.

Many switches make one level of 802.1Q tagging and untagging. In this type of attack, an attacker changes the original frame to add two VLAN tags. The outer tag which is his own VLAN tag and the inner hidden tag of the victim’s VLAN tag and the attacker’s PC must belong to the native VLAN of the network.

An important feature of the double-tagging VLAN hopping attack is that it works even if trunk ports are not configured because a host typically sends a frame on a segment that is not a trunk link. The figure below illustrates the double-tagging VLAN hopping attack.

vlan attacks

The attacker sends a double-tagged 802.1Q frame to switch1. The frame has two tags, the outer tag is the attacker’s tag, which is the same as the native VLAN of the trunk port in this example VLAN1.

The switch received this frame from the attacker as if it were on a trunk port or a port with a voice VLAN because a switch should not receive a tagged Ethernet frame on an access port. The inner tag is the victim VLAN in this example, VLAN 10.

When the switch1 received the frame, it will read the first 4-byte 802.1Q tag and confirm that the frame is for VLAN1, which is the native VLAN. The switch sends the frame out on all VLAN 1 ports after removing the outer tag of VLAN1.

The trunk is also the part of native VLAN, so the switch will also send the frame on a trunk port without re-tagging and the VLAN 10 tag is still the part of the packet and switch1 has not checked this frame.

The switch0 looks at the 802.1Q tag at this time the tag is an inner tag of VLAN-10 that the attacker sent the frame for VLAN 10, the target VLAN. The switch0 remove the VLAN-10 tag and sends the frame on to the victim port or floods it, depending on the existing MAC address table entry.

The best practice to decrease double-tagging VLAN attacks that the native VLAN of the trunk ports is different from the VLAN of any user ports. Also, use a fixed VLAN that is separate from all user VLANs in the switched network as the native VLAN for all 802.1Q trunks.

PVLAN Edge

The concept of Private VLAN is using in layer2 security. The private VLAN is a method to group hosts and control traffic inside a single broadcast domain. For example, some applications need no communication at Layer 2 between ports on the same switch so that a host does not see the traffic generated by another neighbouring host. The ports configured in PVLAN also known as protected ports.

The PVLAN restricts the direct layer2 communications between any two devices connected to the same switch. So, the attack on PVLANs is very difficult; however, they will only do this in layer2.

PVLANs are not intended or designed to protect against a layer3 attack. Forwarding behaviour between a protected port and a nonprotected port is normal as usual. The figure below shows a switch PVLAN Edge configured on the first 20 ports. As a result PC’s connected to these ports cannot communicate with each other.

Configuration of PVLAN

The Protected ports required manual configuration. To configure the PVLAN Edge feature follow the below steps.

The host ports Configuration

Switch>enable
Switch#configure terminal
Switch(config)#spanning-tree portfast default
Switch(config)#interface range fa0/1 – 22
Switch(config-if-range)#switchport mode access
Switch(config-if-range)#switchport protected

The Resource and servers ports configuration

Switch(config)#interface range fa0/22 – 24
Switch(config-if-range)#switchport mode access

Verifying the Configuration

We can verify the configuration using show running-config and we can also use a show interface switchport command that will show if interfaces have set as protected thus showing their PVLAN Edge status.

CAM Table Overflow/Media Access Control (MAC) Attack

The CAM table store information of MAC address on physical port along with the configured VLAN. In CAB table overflow attack the attackers focus on CAM table only. Due to the fixed size of the CAM table attacker target it.

The attacker connects on a physical port and generates a huge number of MAC entries. When the CAM table fills and there is no space for more MAC entries, the switch left the CAB table and sent traffic without a CAM entry sent out on all ports of the VLAN in question.

The host Traffic with a CAM entry is not affected. But the adjacent switches traffic can be affected by the question. We can decrease this type of attack by specifying the allowed MAC address and limiting the number of MAC addresses per port. If the invalid MAC address is found, the mac address can either be blocked or the port shut down.

Address Resolution Protocol (ARP) attack

ARP attack is also known as ARP Spoofing. It is a type of cyber attack carried out over a Local Area Network (LAN). The ARP protocol is working for efficiency, not for security, therefore ARP attack is too easy. The attacker sends false ARP messages over a local area network. This results in the binding of an attacker’s MAC address with the IP address of a legitimate server or a host.

Once the MAC address of the attacker is connected to an authentic IP address, then the attacker begins receiving any data that is destined for that IP address. ARP attack enables attackers to intercept, change or stop data-in-transit. ARP spoofing VLAN attacks can only occur on local area networks that use the Address Resolution Protocol.

VLAN Management Policy Server (VMPS)/ VLAN Query Protocol (VQP) attack

This type of attack uses VMPS. The VMPS is a network switch that has a mapping of device information to VLAN. The VMPS assigns VLAN for network management based on the MAC address of the host and stores these relationships in a database.

This database is usually the part of the VMPS and which is queried by VLAN Query Protocol (VQP), VTP is an unauthenticated protocol that which uses UDP (User Datagram Protocol), that make manipulation very easy for an attacker.

As a result, by using VQP, the hacker very easily hacks the hosts because of no authentication and the hacker easily join the VLAN that he or she is not authorized to access. The decrease the attack chances it is required to monitor the network for miss behaviour, send VQP queries out-of-band or to disable it the protocol.

Cisco Discovery Protocol (CDP) Attack

Most Cisco routers and switches have CDP enabled in the default configuration, out of the box. CDP information is sent in periodic broadcasts that are updated locally in each device’s CDP database. The CDP is a Layer 2 protocol, therefore, the routers do not propagate it.

CDP is a Cisco proprietary protocol which enabled by default in most of Cisco switches. It also allows Cisco devices to exchange information and configure the network to work smoothly together. CDP information is sent in periodic broadcasts which updated each device’s CDP database.

The CDP is a Layer 2 protocol, therefore, a router does not propagate CDP. All the CDP information is sent over a network in cleartext. Therefore any attackers can intercept and see the network information. However, to decrease the chances of hacking disable the CDP where possible.

An attacker can easily sniff information sending the CDP using Wireshark and other networking analyzer software. However, the CDP is useful and, if it can be isolated by not allowing it on user ports, then it can help make the network run more smoothly.

Tags:arp spoofingarp spoofing attackblack hole vlancam table overflow attackcam table vs arp tablecdp attackscisco cam table overflow attackCisco Discovery Protocol Attackcisco private vlancommon vlan attacksdouble tagging vlan hopping attackdouble vlan tagging 802.1 qDouble-Tagging VLAN AttacksHow to Protect Spoofing Attacklayer 2 vlan securityMAC attacksmac spoofingmac tableNative VLANs and 802.1Q Taggingport securityprivate vlan attacksprivate vlan cisco 2960private vlan configurationPVLAN Edgepvlan edge ciscopvlan edge configurationsteps for double tagging vlan hopping attackSwitch Spoofing Attackvlan attacks and countermeasuresvlan attacks ciscovlan based attacksvlan hopping attack ciscovlan hopping attack double taggingvlan hopping attack examplevlan hopping attack explainedvlan hopping attack pdfvlan tagging attackVMPS and VQP attacks

About the Author

Asad Ijaz

NetworkUstad's lead networking architect with CCIE certification. Specializes in CCNA exam preparation and enterprise network design. Authored 2,800+ technical guides on Cisco systems, BGP routing, and network security protocols since 2018. Picture this: I'm not just someone who writes about tech; I'm a certified expert in the field. I proudly hold the titles of Cisco Certified Network Professional (CCNP) and Cisco Certified Network Associate (CCNA). So, when I talk about networking, I'm not just whistling in the dark; I know my stuff! My website is like a treasure trove of knowledge. You'll find a plethora of articles and tutorials covering a wide range of topics related to networking and cybersecurity. It's not just a website; it's a learning hub for anyone who's eager to dive into the world of bits, bytes, and secure connections. And here's a fun fact: I'm not a lone wolf in this journey. I'm a proud member and Editor of Team NetworkUstad. Together, we're on a mission to empower people with the knowledge they need to navigate the digital landscape safely and effectively. So, if you're ready to embark on a tech-savvy adventure, stick around with me, Asad Ijaz Khattak. We're going to unravel the mysteries of technology, one article at a time!"

View all posts

Share this article

Twitter LinkedIn Facebook

Table of Contents

Related Articles

Diagram of an IPv4 packet header structure showing bit positions, fields like Version, Header Length, Total Length, Identification, Flags, Fragment Offset, Time to Live, Protocol, Header Checksum, Source IP Address, and Destination IP Address.

What Is an IP Address? A Complete, Exciting Guide for Beginners 2025

Jun 13, 2025 7 min read

SFP and SFP+ Modules: The Ultimate Guide to Choosing and Setting Up 10G Transceivers

Jun 1, 2025 5 min read
Illustration comparing Telnet vs SSH remote access protocols, showing a client and server with a lock for SSH and an unlocked symbol for Telnet over a network path.

Telnet vs. SSH: A Comprehensive Comparison of Remote Access Protocols 2025

May 25, 2025 16 min read
NetworkUstad

Master the Digital Frontier with our expert IT training and resources.

Quick Links

  • About Us
  • Our Services
  • Blog
  • Tutorials
  • Contact Us
  • FAQs

Contact Us

admin@networkustad.com

Recent Posts

What Features Do Modern Garage Doors Have?

June 16, 2025

How to Get Your Property Improvement Business Off the Ground

June 15, 2025

Top Holiday Escape Rooms Adventure in the US

June 15, 2025
© 2025 NetworkUstad. All Rights Reserved.
  • Privacy Policy
  • Terms of Service
  • Sitemap
Designed with by NetworkUstad
We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept”, you consent to the use of ALL the cookies.
Do not sell my personal information.
Cookie SettingsAccept
Manage consent

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the ...
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
CookieDurationDescription
cookielawinfo-checkbox-analytics11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional11 monthsThe cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy11 monthsThe cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
Functional
Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
Performance
Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
Analytics
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
Advertisement
Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.
Others
Other uncategorized cookies are those that are being analyzed and have not been classified into a category as yet.
SAVE & ACCEPT
Powered by CookieYes Logo