Cyber Security: VLAN Double Tagging (Hopping) Attacks explained

VLANs are used for Layer 2 logical segmentation. Each VLAN forms its own broadcast domain. Communication between VLANs is only possible by a router, such as a Layer 3 Switch or a Router configured with Sub-Interfaces (Router-on-a-Stick) or multiple LAN connections.

A trunk port is a port for communication between switches, and for transporting multiple VLANs via a link. VLAN 1 is the default VLAN on all switches. So far, so good. This should give a short overview of VLANs. The following  is also topic of the Cisco CCNA and CCNP curriculum.

Consider the following scenario in a VLAN environment where VLAN 10 is the Native VLAN for trunk links.


The computer in the lower right corner is in VLAN 40, and communication between VLAN 10 and VLAN 40 is – by design – not possible, even not wanted.

Remember that VLAN 10 is configured as the Native VLAN by the network technician. (default: VLAN 1). The attacker gains access to a switchport which is in VLAN 10.


1. The attacker is connected to a switch port in VLAN 10 and uses a program to modify the packet he wants to send to a PC in VLAN 40. Two VLAN IDs now appear in the frame. VLAN 10 and VLAN 40.

2. The switch receives the frame and recognizes that this packet is coming from a device of VLAN 10. All packets of VLAN 10 (Native VLAN) are not tagged. Frames of the Native VLAN are never tagged. So, the switch removes the VLAN 10 identifier, leaving only one entry: VLAN 40, which forwards the frame to the next switch.

3. The next switch receives the frame with VLAN ID 40 and forwards it correctly to the computer in VLAN 40.

4. The computer in VLAN 40 receives the frame. This should not be possible, because the attacker is not in the same VLAN segment as the computer.

How can this be prevented?

No access port should be assigned to the Native VLAN.

If the attacker is not in Native VLAN 10, but for example in VLAN 20, the switch does not remove the first VLAN entry. This means that VLAN 20 remains as an entry in the frame and the attacker can only communicate with devices in VLAN 20.


1 reply »

  1. Great article. So if all our trunks are tagged with VLAN 400, but we have a VLAN 1 host vlan that our users use… we are oK?


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.