Episode 149: VLAN Hopping and Layer 2 Exploits
Layer 2 security is essential because many types of attacks can occur entirely within the boundaries of a single switch, often bypassing traditional security measures like firewalls or intrusion prevention systems. These threats do not rely on accessing routers or external systems—they exploit the very fabric of local network behavior. One key issue is that many switches are deployed with default configurations that leave them vulnerable. Without hardening, these switches can become entry points for malicious activity, especially in networks that use virtual LANs for segmentation. V L A Ns are only as secure as their enforcement, and improper configuration can turn segmentation into a false sense of security.
This episode focuses on V L A N hopping and Layer 2 exploits, which are techniques that attackers use to manipulate the behavior of switches and access unauthorized network segments. V L A N hopping is particularly insidious because it allows malicious traffic to cross boundaries that should be isolated. Many of these attacks are made possible by switch misconfigurations—settings that were either left at defaults or improperly adjusted. These missteps can open the door to threats that would otherwise be blocked. By understanding how these attacks work, network professionals can protect the local broadcast domain and prevent breaches that originate within the internal network.
V L A N hopping refers to a technique in which an attacker sends specially crafted Ethernet frames that are designed to cross from one V L A N to another. This bypasses the segmentation that V L A Ns are meant to provide. The result is that the attacker gains access to data or systems on a different V L A N, violating the principle of isolation. These attacks do not require compromising a router or gateway—just improper configuration on the switch. When a switch is not correctly configured, frames can be processed in ways that allow unauthorized traversal between segments.
One of the primary methods of V L A N hopping is called switch spoofing. In this scenario, the attacker configures their device to behave like a switch. The rogue device sends trunk negotiation signals that attempt to convince a real switch to form a trunk link. If the legitimate switch is set to auto-negotiate trunks, it may accept the request and create a trunk between itself and the attacker. This allows the attacker to send and receive traffic for multiple V L A Ns, giving them access to data from segments they should never see. This technique relies heavily on the trust-based nature of trunk negotiation protocols.
Double tagging is another V L A N hopping technique that leverages the way switches process tagged Ethernet frames. In a double tagging attack, the attacker crafts a packet with two V L A N tags—one outer tag and one inner tag. The first switch in the path removes the outer tag, thinking it's part of normal trunking behavior. However, it leaves the inner tag in place and forwards the packet. The next switch sees the inner tag and routes the frame accordingly, which may be into a different V L A N. This effectively allows the attacker to jump into a new segment, even when their port was not authorized for that destination.
Certain network conditions make V L A N hopping possible. The most significant is when switch ports are configured to use dynamic trunking, which allows them to automatically negotiate trunk links without explicit approval. This opens the door for switch spoofing. Another issue is native V L A N misconfiguration. If the native V L A N is not clearly defined or overlaps with active V L A Ns, then double tagging becomes more feasible. Additionally, failing to implement trunk filtering means that unnecessary V L A Ns are allowed on trunks, broadening the attack surface.
To reduce the risk of V L A N hopping, disabling the Dynamic Trunking Protocol is an essential first step. D T P is used by switches to negotiate trunk links, but it should be disabled on all ports unless trunking is explicitly required. By configuring all ports to default to access mode, administrators can ensure that devices cannot trigger trunk negotiation without manual approval. Locking down ports in this way significantly limits the potential for unauthorized trunk formation, making switch spoofing and related attacks far less likely to succeed.
Best practices for configuring the native V L A N also play a crucial role in security. The native V L A N is the default untagged V L A N used on trunk links, and it is often exploited in double tagging attacks. To mitigate this risk, administrators should assign an unused and otherwise inactive V L A N as the native. This ensures that if traffic is misrouted or untagged by accident or by design, it cannot land in a productive or sensitive segment. Explicitly defining native V L A Ns and avoiding overlap with operational V L A Ns helps tighten security at the trunk level.
Layer 2 exploits are not limited to V L A N hopping. Other attacks such as M A C flooding, A R P spoofing, and manipulation of the Spanning Tree Protocol can all compromise the integrity of a local network. These threats exploit fundamental behaviors of switches, such as address learning and topology discovery. While they differ in execution, they share a common theme: the attacker uses standard Layer 2 functions in unintended ways to gain advantage, disrupt traffic, or eavesdrop on sensitive communications.
M A C flooding is a particularly disruptive Layer 2 exploit. It involves sending a large volume of Ethernet frames with fake or randomized source M A C addresses to the switch. This overwhelms the switch's M A C address table, causing it to enter a fail-open mode. When that happens, the switch broadcasts all incoming frames to all ports, essentially acting like a hub. This allows the attacker to observe a large portion of network traffic that would otherwise be isolated. M A C flooding can be a precursor to more targeted attacks, such as credential harvesting or session hijacking.
The Spanning Tree Protocol, which is designed to prevent network loops by organizing switches into a logical topology, can also be abused. An attacker can send superior Bridge Protocol Data Units, or B P D Us, that cause their device to be elected as the root bridge. Once this role is assumed, the attacker can influence the flow of traffic across the network. This control could be used to reroute sensitive data through a malicious node, or to disrupt connectivity by introducing instability into the topology. S T P manipulation is subtle but dangerous, especially in networks that do not enforce strict B P D U filtering.
For more cyber-related content and books, please check out cyber author dot me. Also, there are other podcasts on Cybersecurity and more at Bare Metal Cyber dot com.
Port security is one of the most effective mechanisms to defend against attacks that exploit Layer 2 behavior. This feature allows administrators to specify how many M A C addresses can be learned on a port. If a device tries to connect using a different address than what is allowed, the port can automatically take protective action, such as shutting down or restricting traffic. This limits the opportunity for attackers to plug into the network and begin manipulating switch behavior or collecting unauthorized traffic from a compromised port.
Features like B P D U Guard and Root Guard further protect the stability of a Layer 2 environment. B P D U Guard works by shutting down a port that unexpectedly receives a B P D U, helping to prevent unauthorized participation in the Spanning Tree Protocol. This stops rogue devices from attempting to change the network topology. Root Guard, on the other hand, ensures that no unexpected device can become the root bridge by overriding B P D U superiority with locally defined preferences. Together, these tools help preserve a predictable and secure switch environment.
Storm control helps prevent broadcast storms, which can overwhelm a switch’s processing capacity and render the network unusable. This feature places thresholds on the amount of broadcast, multicast, or unknown unicast traffic a switch port will accept. Once the threshold is exceeded, the switch can drop excess frames or limit traffic flow. This is especially useful for protecting against Layer 2 denial-of-service attacks, which attempt to flood a network with traffic to create disruption or mask other malicious activity occurring at the same time.
Locking down access ports is a foundational step in securing switches from internal threats. Access mode ensures that a port will only carry traffic for a single V L A N and will not attempt to negotiate a trunk. This greatly reduces the risk of switch spoofing and V L A N hopping. In addition, disabling any ports that are not in use removes potential entry points for attackers. Finally, avoiding default V L A N assignments like V L A N one helps prevent unintended connections between devices that may have been misconfigured or overlooked during deployment.
Although V L A Ns are useful for segmenting network traffic, they should never be treated as a complete security solution. Relying on V L A Ns alone can lead to a false sense of protection. Access control lists and packet filtering provide additional enforcement at the switch or router level. In more sensitive or segmented environments, combining V L A Ns with routing boundaries or firewall rules ensures that traffic separation is based on more than just virtual segmentation. This layered approach is key for addressing the limitations of basic Layer 2 separation.
Effective monitoring can make the difference between detecting an attack early or suffering an extended breach. Administrators should use tools such as S N M P and syslog to collect real-time data about switch behavior. These systems can alert teams when anomalies occur, such as excessive M A C address learning, which may indicate a M A C flooding attempt. Unusual B P D U patterns or root bridge changes should also be flagged. Proactive monitoring gives network teams visibility into potential exploits that traditional firewall logs or host-based tools might miss.
From an exam perspective, candidates should be prepared to evaluate and correct switch misconfigurations that could enable V L A N hopping. This might include identifying interfaces that are incorrectly set to dynamic trunking, or spotting native V L A N overlap. You may also be asked to select appropriate port security settings for a given scenario or recognize signs of switch spoofing or double tagging. Understanding these Layer 2 threats and their prevention mechanisms is key for performing well on the certification.
Layer 2 attack prevention begins with a recognition that configuration is everything. V L A N hopping is not a flaw in the V L A N technology itself—it is a consequence of misconfigured ports, trunks, and filtering. By carefully applying security settings at the access and trunk levels, organizations can block many of the exploits that would otherwise compromise the switch. The defense must start at the very first point of connection where devices enter the network.
The threats we’ve covered in this episode highlight how much trust is placed in the proper behavior of switches. From the processing of tagged frames to the enforcement of port-level rules, switches play a pivotal role in local network security. Missteps at Layer 2 can allow attackers to bypass segmentation, intercept data, or take control of the network topology. Understanding how to configure these devices properly is not just essential for passing the certification—it’s foundational for building secure and resilient networks.
