VLAN hopping 101: The what, why, and how

Allowing network admins to logically group devices from several sub-networks and easily confine broadcast domains, virtual local area networks (VLANs) have become an essential part of every organizational network. VLANs offer several networking advantages for complex IT infrastructures, including network isolation, reduced traffic, and enhanced security. However, like every other network component, without an effective monitoring strategy in place, VLANs can fall victim to security attacks and run into performance issues. This has made monitoring the health, performance, and security of VLANs a critical task for network admins.

One common issue in VLANs that network admins have to be on the lookout for is VLAN hopping. On this page, we will be looking into the following:

• What is VLAN hopping?
• Why should you care about VLAN hopping attacks?
• How to prevent VLAN hopping attacks

What is VLAN hopping?

VLAN architecture simplifies network management and performance optimization by isolating the network into logical groups. VLAN hopping enables communication between these groups by carrying traffic from one VLAN to another in the network. A VLAN hopping attack takes advantage of this network's functioning to carry out security attacks on the network.

A VLAN hopping attack is a security exploit technique commonly used by attackers to gain access to unauthorized resources on the target VLAN. In this technique, attackers use manipulated network packets to gain access to one VLAN. The attacked VLAN then acts as the basis for further attacks. Attackers penetrate the entire network using certain VLAN vulnerabilities, such as trunking mode, and VLAN misconfigurations. The types of VLAN hopping attacks include:

• Switch spoofing attack.
• Double tagging attack.

Switch spoofing attack

In switch spoofing, the attacker makes use of the auto-negate and trunking features of the network switches. In an idle network, these features enable network switches to establish communication links between other switches in the network. In a switch spoofing attack, the attackers make use of the incorrectly configured switch port to carry out switch spoofing.

By emulating IEEE 802.1Q and Dynamic Trunking Protocol (DTP) messages, the attacker configures an end system to imitate a network switch. They then use this switch spoofing system to send messages to other switches in the network. With the other switches treating the spoofed system as a network switch, the attacker can send DTP negotiation frames to the switches. If the other switches have auto-negotiation capabilities turned on, the attacker can negotiate a trunking link over a port with the network switch. This allows the attacker to gain access to the resources in the network switch.

Double tagging attack

Double tagging attacks take advantage of the IEEE 802.1Q tagging and untagging mechanisms that are enabled in most networks. This attack uses switch ports connected to native VLANs. The attacker first penetrates the network's native VLAN and then propagates the attack. Since trunk ports connected to native VLANs can carry traffic without any VLAN tags, the attacker can use this VLAN to easily create trunk links between their system and other switch ports. The attacker follows the steps below to carry out double tagging attacks.

The attacker first identifies and connects to the port accessible to the native VLAN, which in turn is accessible to the trunk ports in the network. Using IEEE 802.1Q's double tagging technique, the attacker creates a data packet with the outer tag as the native VLAN's ID and the inner tag as the target VLAN ID.

• When the native VLAN receives this packet, it reads the outer tag, assumes it to be traffic within its network, and discards the tag.
• The native VLAN then forwards the packet to all its ports. In this process, the trunk link connected to the native VLAN also receives a copy of the packet.
• This packet is then ultimately forwarded to the target VLAN in the network.

A double tagging attack is unidirectional and can be difficult to prevent without the right network management strategies in place.

Why should you care about VLAN hopping attacks?

VLAN architecture has become an integral part of every network's IT infrastructure. With organizations becoming increasingly reliant on VLANs for secure network communications, any loopholes in their security can lead to:

• Privacy threats: Attackers gaining access to your VLANs can easily penetrate into the data held by the resources connected to the VLANs. This penetration and infiltration enable attackers to access sensitive network data, such as system passwords.
• Data access and manipulation: A compromised VLAN architecture can expose your network to data theft. Attackers can gain access to, modify, or delete your network data.
• Security threats: VLAN hopping exposes your network to several security threat vectors. By penetrating into the network VLANs, attackers can propagate malicious agents, such as worms and Trojans, into the network.

How to prevent VLAN hopping attacks

VLAN hopping attacks take advantage of VLAN misconfigurations and improper VLAN architecture setup. To prevent these attacks from infiltrating the network, network admins are recommended to implement the following best practices in their IT infrastructures.

Preventing switch spoofing

As stated earlier, switch spoofing attacks are based on improper trunking configurations in switches. To reduce the probability of such attacks, network admins should:

• Disable auto trunk negotiation settings in network switches. This can be done by disabling DTP in all ports. This setting should be left enabled only if necessary for day-to-day network functioning.
• Explicitly configure non-trunk ports as access ports. This reduces the number of available ports for penetrating switch spoofing attacks.
• Ensure all ports that are currently not in use are shut down or disabled.

Preventing double tagging attacks

Double tagging works by using the IEEE 802.1Q standard to break through the logical isolation of different VLANs. To mitigate these attacks, network admins should:

• Isolate the network's default VLAN from host access.
• Enable explicit tagging of the native VLAN on trunk ports.
• Give the native VLAN on trunk ports an ID different from the other user VLANs.
• Never assign access ports to the native VLAN.

Apart from the above best practices, network admins can also follow standard industry best practices, which include:

• Keeping a VLAN device inventory: Maintain a centralized inventory of all the network switch ports and their interfaces. Enable effective performance monitoring to track their crucial performance metrics and utilization in real time.
• Layer 2 mapping: Use a reliable networking mapping tool to maintain up-to-date layer 2 maps of network VLANs, their connections, and associated network resources. This helps you understand the logical structuring of your network, and quickly carry out issue mitigation steps if needed.
  For instance, referring to your network's current layer 2 maps helps you isolate critical VLANs from other VLANs in your network.
• Switch port management: To enable in-depth insights into your network traffic, deploy a switch port mapping and management solution to drill down to the physical- and traffic-level aspects of the switch ports and associated interfaces.
• Ensuring network compliance: Ensuring your network meets the required latest compliance standards enhances your network's defense against VLAN hopping.
  For instance, PCI compliance adds several layers of security to your logical network architecture, making it impractical for VLAN hopping attackers to access sensitive data.

Looking to deploy a reliable network monitoring solution?

Meet ManageEngine OpManager! OpManager is a complete network performance monitoring solution that offers advanced capabilities to monitor all your network components, right out of the box. Offering simplified VLAN discovery, layer 2 mapping, and device inventory management capabilities, it helps you understand and monitor your VLAN architecture better.

Try OpManager today! Download a fully functional, 30-day, free trial, or schedule a personalized live demo with our product experts and explore OpManager hands-on.