What is VLAN Attacks – Brief Explanation

In the previous article, I explained how trunks work. By default, trunk ports can use all VLANs and pass traffic for multiple VLANs across the same physical link between switches. The VLAN simplifies network administration and maintenance.

It also improves the performance of the network, but it has some backhaul for hackers which is necessary to understand. So in this lesson, we will discuss VLAN attacks, backhaul and how can we protect VLANs from VLAN Attacks.

Switch Spoofing VLAN Attacks

Switch spoofing is VLAN attack, taking advantage of an incorrectly configured trunk port. VLAN hopping enables traffic from one VLAN to be seen by another VLAN.

The attacker tack advantage of the default switchport mode which is dynamic auto. They configure a system to spoof itself as a switch. The attacker tricks a switch into thinking that another switch is attempting to form a trunk, thus an attacker gets access to all the VLANs allowed on the trunk port. The figure below illustrates the switch spoofing/VLAN hopping attack.

What is VLAN Attacks - Brief Explanation 3How to Protect Spoofing Attack

We can avoid a switch spoofing attack by turning off trunking on all ports, except the ones that specifically require trunking. It is also necessary to disable DTP, and manually enable trunking.

Following are the steps for protecting a switch from a spoofing attacks. Configure all switches in the network like below. Configure all access ports as an access port and disable DTP everywhere.

Switch1#configure terminal
Switch1(config)#interface range fastethernet 0/0 – 20
Switch1(config-if-range)#switchport mode access
Switch1(config-if-range)#switchport nonegotiate

Configure all the trunk ports as a trunk port and disable DTP on trunk ports.
Switch1#configure terminal
Switch1(config)#interface range gigabitethernet 0/20 – 23
Switch1(config-if-range)#switchport mode trunk
Switch1(config-if-range)#switchport nonegotiate

Double-Tagging VLAN Attacks

The double-tagging VLAN attacks are also known as double-encapsulated VLAN hopping attacks. In this type of attack, the attacker takes advantage of the hardware way of operation.

The Double tagging attack is only possible if the attacker has physical connectivity to an interface that belongs to the native VLAN of the trunk port. A double tagging attack is a uni-directional attack. Thwarting this type of attack is not as easy as stopping basic hopping VLAN attacks.

Many switches make one level of 802.1Q tagging and untagging. In this type of attack, an attacker changes the original frame to add two VLAN tags. The outer tag which is his own VLAN tag and the inner hidden tag of the victim’s VLAN tag and the attacker’s PC must belong to the native VLAN of the network.

An important feature of the double-tagging VLAN hopping attack is that it works even if trunk ports are not configured because a host typically sends a frame on a segment that is not a trunk link. The figure below illustrates the double-tagging VLAN hopping attack.

vlan attacks

The attacker sends a double-tagged 802.1Q frame to switch1. The frame has two tags, the outer tag is the attacker’s tag, which is the same as the native VLAN of the trunk port in this example VLAN1.

The switch received this frame from the attacker as if it were on a trunk port or a port with a voice VLAN because a switch should not receive a tagged Ethernet frame on an access port. The inner tag is the victim VLAN in this example, VLAN 10.

When the switch1 received the frame, it will read the first 4-byte 802.1Q tag and confirm that the frame is for VLAN1, which is the native VLAN. The switch sends the frame out on all VLAN 1 ports after removing the outer tag of VLAN1.

The trunk is also the part of native VLAN, so the switch will also send the frame on a trunk port without re-tagging and the VLAN 10 tag is still the part of the packet and switch1 has not checked this frame.

The switch0 looks at the 802.1Q tag at this time the tag is an inner tag of VLAN-10 that the attacker sent the frame for VLAN 10, the target VLAN. The switch0 remove the VLAN-10 tag and sends the frame on to the victim port or floods it, depending on the existing MAC address table entry.

The best practice to decrease double-tagging VLAN attacks that the native VLAN of the trunk ports is different from the VLAN of any user ports. Also, use a fixed VLAN that is separate from all user VLANs in the switched network as the native VLAN for all 802.1Q trunks.


The concept of Private VLAN is using in layer2 security. The private VLAN is a method to group hosts and control traffic inside a single broadcast domain. For example, some applications need no communication at Layer 2 between ports on the same switch so that a host does not see the traffic generated by another neighbouring host. The ports configured in PVLAN also known as protected ports.

The PVLAN restricts the direct layer2 communications between any two devices connected to the same switch. So, the attack on PVLANs is very difficult; however, they will only do this in layer2.

PVLANs are not intended or designed to protect against a layer3 attack. Forwarding behaviour between a protected port and a nonprotected port is normal as usual. The figure below shows a switch PVLAN Edge configured on the first 20 ports. As a result PC’s connected to these ports cannot communicate with each other.

What is VLAN Attacks - Brief Explanation 4

Configuration of PVLAN

The Protected ports required manual configuration. To configure the PVLAN Edge feature follow the below steps.

The host ports Configuration

Switch#configure terminal
Switch(config)#spanning-tree portfast default
Switch(config)#interface range fa0/1 – 22
Switch(config-if-range)#switchport mode access
Switch(config-if-range)#switchport protected

The Resource and servers ports configuration

Switch(config)#interface range fa0/22 – 24
Switch(config-if-range)#switchport mode access

Verifying the Configuration

We can verify the configuration using show running-config and we can also use a show interface switchport command that will show if interfaces have set as protected thus showing their PVLAN Edge status.

CAM Table Overflow/Media Access Control (MAC) Attack

The CAM table store information of MAC address on physical port along with the configured VLAN. In CAB table overflow attack the attackers focus on CAM table only. Due to the fixed size of the CAM table attacker target it.

The attacker connects on a physical port and generates a huge number of MAC entries. When the CAM table fills and there is no space for more MAC entries, the switch left the CAB table and sent traffic without a CAM entry sent out on all ports of the VLAN in question.

The host Traffic with a CAM entry is not affected. But the adjacent switches traffic can be affected by the question. We can decrease this type of attack by specifying the allowed MAC address and limiting the number of MAC addresses per port. If the invalid MAC address is found, the mac address can either be blocked or the port shut down.

Address Resolution Protocol (ARP) attack

ARP attack is also known as ARP Spoofing. It is a type of cyber attack carried out over a Local Area Network (LAN). The ARP protocol is working for efficiency, not for security, therefore ARP attack is too easy. The attacker sends false ARP messages over a local area network. This results in the binding of an attacker’s MAC address with the IP address of a legitimate server or a host.

Once the MAC address of the attacker is connected to an authentic IP address, then the attacker begins receiving any data that is destined for that IP address. ARP attack enables attackers to intercept, change or stop data-in-transit. ARP spoofing VLAN attacks can only occur on local area networks that use the Address Resolution Protocol.

VLAN Management Policy Server (VMPS)/ VLAN Query Protocol (VQP) attack

This type of attack uses VMPS. The VMPS is a network switch that has a mapping of device information to VLAN. The VMPS assigns VLAN for network management based on the MAC address of the host and stores these relationships in a database.

This database is usually the part of the VMPS and which is queried by VLAN Query Protocol (VQP), VTP is an unauthenticated protocol that which uses UDP (User Datagram Protocol), that make manipulation very easy for an attacker.

As a result, by using VQP, the hacker very easily hacks the hosts because of no authentication and the hacker easily join the VLAN that he or she is not authorized to access. The decrease the attack chances it is required to monitor the network for miss behaviour, send VQP queries out-of-band or to disable it the protocol.

Cisco Discovery Protocol (CDP) Attack

Most Cisco routers and switches have CDP enabled in the default configuration, out of the box. CDP information is sent in periodic broadcasts that are updated locally in each device’s CDP database. The CDP is a Layer 2 protocol, therefore, the routers do not propagate it.

CDP is a Cisco proprietary protocol which enabled by default in most of Cisco switches. It also allows Cisco devices to exchange information and configure the network to work smoothly together. CDP information is sent in periodic broadcasts which updated each device’s CDP database.

The CDP is a Layer 2 protocol, therefore, a router does not propagate CDP. All the CDP information is sent over a network in cleartext. Therefore any attackers can intercept and see the network information. However, to decrease the chances of hacking disable the CDP where possible.

An attacker can easily sniff information sending the CDP using Wireshark and other networking analyzer software. However, the CDP is useful and, if it can be isolated by not allowing it on user ports, then it can help make the network run more smoothly.