Specifications

CHAPTER 7

Campus Network Security

802.1Q Double-Tagging

A double-tagging attack is possible because 802.1Q trunking does not tag frames from the native VLAN. In this attack,

the attacking computer negotiates a trunk port between itself and the switch and then generates frames with two 802.1Q

tags. The first tag matches the native VLAN of the trunk port, and the second matches the VLAN of a host it wants to

attack, as shown in Figure 7-1. The first switch in the path strips off the first 802.1Q tag and forwards it to adjacent

switches. The next switch forwards the frame based on the VLAN listed in the second tag.

The double-tagging method of a VLAN hopping attack works even if trunk ports are set to off, if the trunk has the same

VLAN as the attacker.

Switch A removes the first tag for VLAN 100 because it matches the native VLAN for that link. It forwards the frame out

all links with the same native VLAN, including its link to Switch B. Switch B sees the frame come in with an 802.1Q tag

for VLAN 200, so it forwards it out the VLAN 200 link to the victim computer.

To mitigate this type of attack, use the same strategies used for switch spoofing. You can also use VLAN access control

lists, called

VACLs, or implement Private VLANs.

[ 84 ]

CCNP SWITCH 642-813 Quick Reference by Denise Donohue

FIGURE 7-1

VLAN Hopping by

802.1Q Double-

Tagging

Attacker

Target in

VLAN 200

Native

V L AN 100

Native

V L AN 100

Data

Switch A Switch B

Data

802.1Q

V L 200

Data

802.1Q

VL 200

802.1Q

VL100

9781587140112.qxd 11/23/09 11:35 AM Page 84