Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > Vlan hopping

Thread Tools

Vlan hopping

Sherlock Holmes
Posts: n/a
Hi All,

Does anyone know of Vlan Hopping? Can anyone explain how it works?

Reply With Quote
thort thort is offline
Join Date: Sep 2007
Posts: 35
VLAN hoping is basically a security issue. Besides the network reasons for configuring VLANS (reduced broadcast domains, switch virtualisation, etc.) the security reasons are simple, segment users. So in example I configure two VLANS: accounting and others. This keeps their traffic separate and they need to pass through a router with ACL or firewall to intercommunicate.
However, if I am a member of the others VLAN and can get my pc directly into the accounting VLAN, I just bypassed the firewall. If you don't understand how I could do that, then you need to learn about VLAN TAGGING.

Standard default configuration problems inherent to cisco and non security minded network admins with cisco equipement:
1. Default Management VLAN1 on all ports.
2. Multiple VLANS configured on same port.
3. Dynamic Trunking Protocol (DTP) on by default.
5. Trunk ports carry all VLANs by default.
4. CDP configured by default

So with a good sniffer (that reads tagged frames), an OS, NIC or application that can do VLAN tagging, a CDP sniffer, and a DTP generator: I could 1. Put my self in the management VLAN1 (with correct IP address - thanx CDP!) which is seldom filtered, or 2. Put my self directly into the accounting VLAN if multiple vlans are on the same port, or 3. Turn my switchport into a trunk with DTP and have access to all VLANs.

Reply With Quote
Posts: n/a

Sherlock Holmes schrieb:
> Hi All,
> Does anyone know of Vlan Hopping? Can anyone explain how it works?

Yes I can.
Lets start that way. You have two switches with a trunk link between them.
On both side you have vlan v1 and vlan v2.

He creates a package with a vlan v2 packet header and puts this in a
vlan v1 packet. The Switch then transports that packet to the ports. On
the trunk port it removes the v1 header and what a surprise there is v2
header. Now it transports the Package to v2 port.

I'm currently didn't remember what the hacker has to do to bring the
switch to extract. I only remember something about switchport mode and
not set so access. There is a protocol a cisco switch use to find out
the port is a trunk or a access port.

When you have still questions left, send me an mal.

So long Alexander
Reply With Quote
Posts: n/a

found the Book description:

"VLAN hopping relies on the Dynamic Trunking Protocol (DTP). If you have
two switches that are connected, DTP can negotiate between the two to
determine if they should be an 802.1Q trunk. Negotiation is done by
examining the configured state of the port. "


"Trunk links carry traffic from all VLANs. In 802.1Q trunking, which DTP
negotiates, four bytes are added to the Ethernet header to define what
VLAN a frame is a member of. When a frame leaves the trunk and enters
another switch, the 802.1Q shim header is removed, the frame check
sequence is recalculated, and the frame is brought back to its original

VLAN hopping exploits the use of DTP. In VLAN hopping, you spoof your
computer to appear as another switch. You send a fake DTP negotiate
message announcing that you would like to be a trunk. When the real
switch hears your DTP message, it thinks it should turn on 802.1Q
trunking. When trunking is turned on, all traffic for all VLANs is sent
to your computer. Figure 10-6 illustrates this process.

After a trunk is established, you either can proceed to sniff the
traffic, or you can send traffic by adding 802.1Q information to your
frames that designate which VLAN you want to send your attack to.

I think that describes the thing. So to prevent vlan hopping you should
always disable DTP.

So long Alexander
Reply With Quote
thort thort is offline
Join Date: Sep 2007
Posts: 35
Exactly what Alexandre says about trunking and DTP (he gave a more detailed explanation than I). But you can also have multiple vlans on a switchport, not just on a trunk, and then you can hop that way too.

Some good basic cisco security commands:
Global Config:
spanning-tree portfast bpduguard default
spanning-tree guard root
User Port Config - Interface fe0/X:
switchport mode access (truns off DTP on that port)
switchport access vlan X
switchport port-security

And change le Native VLAN from the default: VLAN1 on both switchports and trunks (especially on trunks!)

Last edited by thort; 09-27-2007 at 10:53 AM..
Reply With Quote
ABCD1234 ABCD1234 is offline
Junior Member
Join Date: Feb 2009
Posts: 1
i have problem understanding VLAN hopping. I want to demonstrate this attack. at the moment i have got 2 switches. 1 switch has two pc's, 1 in vlan 2 and other in vlan 3. the second switch has also two pc's. 1 in vlan 2 and other in vlan 3.

At the moment they cannot ping etc.. switch 1 has a VLAN 1 IP address of Switch 2 has a VLAN 1 ip address of The switches has trunking between them. I have set that up by using switchport trunk encap 802.1Q on both sides. By the way the native VLAN is 1.

I have got an attack pc on VLAN 1 using yersinia. And i cannot get onto another vlan.

Can anyone help me out please...
Reply With Quote
Ford Perfect Ford Perfect is offline
Junior Member
Join Date: Mar 2009
Posts: 1
Here you can find an example for misusing DTP with yersinia:

Hope it helps.
Reply With Quote

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
Backtrace hopping between threads ? Matthew Bloch Ruby 2 04-16-2010 08:58 AM
PC-hopping mobile malware sighted Imhotep Computer Security 0 09-24-2005 05:12 AM
Vlan Hopping Anomaly Jos_Cit Cisco 15 08-15-2005 05:35 AM
Auxiliary VLAN V VLan Neil Rowland Cisco 1 04-14-2004 02:03 PM
VLAN or Not to VLAN Paul Cisco 0 10-27-2003 06:16 PM