VLAN Security and Hopping Prevention

Overview

This lecture covers the purpose of VLANs, how they can be bypassed via VLAN hopping attacks, and methods to prevent such security risks.

VLANs (Virtual Local Area Networks) separate network traffic for security and organizational purposes.
Common VLAN uses include separating departments (e.g., Marketing, Accounting) or device types (e.g., IoT, cameras).
Devices in separate VLANs cannot communicate directly unless routed.

Switch spoofing exploits dynamic trunk configuration between switches.
If a switch auto-configures a trunk with a host, the host can access multiple VLANs by impersonating a switch.
Disabling trunk auto-negotiation removes this vulnerability.
Administrators should manually define trunk interfaces and allowed VLANs to prevent spoofing.

Double tagging involves crafting Ethernet frames with two VLAN tags.
The first switch removes the outer tag, sending the frame over the native VLAN.
The second switch removes the inner tag, forwarding the frame to another VLAN.
This attack is one-way and mainly used for injecting traffic (e.g., denial of service).

VLAN (Virtual Local Area Network) — A logical network segment that separates devices for security and performance.
Switch Spoofing — A VLAN hopping method where a device impersonates a network switch to access multiple VLANs.
Double Tagging — A VLAN hopping method using Ethernet frames with two VLAN tags to cross VLAN boundaries.
Native VLAN — The VLAN assigned to untagged traffic on a trunk port.
Trunk Port — A switch port configured to carry traffic for multiple VLANs.

Review your switch configuration to ensure trunk negotiation and native VLAN settings are secure.
Read next chapter on network segmentation best practices.