Basic and Double Encapsulation VLAN Hopping

Our weekly course module introduced us to layer 2 attacks, specifically MAC & ARP attacks. I added to the discussion by introducing basic and double encapsulation VLAN hopping. I also provided mitigation techniques after presenting my findings.

One of the ways attackers are able to bypass security protection is by exploiting virtual local area network (VLAN) weaknesses. The main purpose of using VLANs is proper isolation of assets for increased security of high value assets. For example, your company’s product database should always sit on a separate VLAN from the publicly facing web server.

Implementing segmentation is a security best practice that makes the assets on each VLAN more difficult to attack or less susceptible to compromise. Note that VLANs in and of themselves cannot stop a system from being compromised, especially if either the tag or a system that has legitimate access to the VLAN is compromised. Let’s look at two types of VLAN hopping attacks.

Basic VLAN Hopping

Attackers can perform VLAN hopping by spoofing workstations to act as trunk ports, resulting in attackers workstation becoming a member of all VLANs. Cisco’s default configuration trunks VLANs over the switch port, thereby allowing hackers to see all VLAN traffic (Mason, 2011).

Double Encapsulation VLAN Hopping

Since Cisco remediated this vulnerability in newer versions of IOS updates, hackers started using double encapsulation VLAN hopping attacks. Double encapsulation involves stripping the first and second tag followed by sending the frames to a separate VLAN ID (Rouiller, 2016). The attack is successful because the switches are limited to performing a single level of de-encapsulation.

Mitigations Techniques

Basic VLAN hopping mitigation: disable unused ports and assign all others as access mode (Mason, 2011). Cisco also advises users to disable dynamic trunk protocol (Cisco Networking Academy, 2014).

Double encapsulation hopping mitigation: implement a fixed native VLAN from other user VLANS for all 802.1Q trunks (Cisco Networking Academy, 2014). Another mitigation technique is to always use a “dedicated VLAN ID for all trunk ports” (Rouiller, 2016).

In addition to these measures, there should be ongoing audits of ports and services allowed. LAN and VLAN audits should also be performed regularly to ensure that no misconfigurations exist and that only authorized users have access to change router configurations.

Share the love!

4 thoughts on “Basic and Double Encapsulation VLAN Hopping”

  1. Right here is the perfect blog for everyone who really wants to understand this topic. You know so much its almost tough to argue with you (not that I really would want laugh out loud). You definitely put a new spin on a subject which has been discussed for a long time. Excellent stuff, just wonderful!

  2. I’m really enjoying the design and layout of your website. It’s a very easy on the eyes which makes it much more enjoyable for me to come here and visit more often. Did you hire out a designer to create your theme? Excellent work!

  3. Hola! I’ve been reading your blog for a while now and finally got the bravery to go ahead and give you a shout out from Humble Tx! Just wanted to tell you keep up the fantastic work!

Comments are closed.