What are the two primary methods of performing a VLAN Hopping attack?
- Switch Spoofing; 2. Double Tagging (Double Encapsulation).
How does an attacker initiate a Switch Spoofing attack?
By configuring their device to act as a switch and using Dynamic Trunking Protocol (DTP) to negotiate a trunk link.
What is the main security risk of leaving a port in ‘Dynamic Desirable’ or ‘Dynamic Auto’ mode?
It allows an attacker to negotiate a trunk via DTP and access all VLANs permitted on that trunk.
Which command prevents a switch port from negotiating a trunk link?
switchport nonegotiate.
Which specific 802.1Q feature does a Double Tagging attack exploit?
The Native VLAN feature.
Why is a Double Tagging attack considered ‘unidirectional’?
The attacker can send traffic to a victim in a different VLAN but return traffic cannot traverse back using the same double-tag method.
What is the role of the ‘Outer Tag’ in a Double Tagging attack?
It must match the Native VLAN of the trunk link so the first switch strips it and forwards the frame with the ‘Inner Tag’ intact.
What happens when the second switch receives a double-tagged frame after the first switch strips the outer tag?
It sees the inner tag and forwards the frame to the target VLAN specified by that tag.
What are two critical steps to mitigate VLAN Hopping?
- Disable DTP on all ports; 2. Place unused ports into a common, unrouted VLAN.
How do you prevent Double Tagging on a trunk link?
Change the Native VLAN to an unused ID and force the switch to tag the native VLAN using ‘vlan dot1q tag native’.
True or False: Disabling DTP is enough to stop a Double Tagging attack.
False. Double Tagging exploits native VLAN behavior, not trunk negotiation protocols.
What is a Switch Spoofing attack?
An attack where a threat actor acts as a switch and uses DTP to negotiate a trunk link to gain access to all VLANs.
Which Cisco protocol is exploited during a Switch Spoofing attack?
Dynamic Trunking Protocol (DTP).
How do you prevent Switch Spoofing on an access port?
Configure the port manually with ‘switchport mode access’ to disable trunk negotiation.
What is the command to stop a port from sending DTP messages?
switchport nonegotiate.
What is the primary goal of an STP attack?
To spoof the Root Bridge, forcing network traffic to flow through the attacker’s device for interception.
How does an attacker become the Root Bridge in an STP attack?
By sending a superior BPDU with a lower Bridge Priority (e.g., 0) than the current Root Bridge.
What happens to a port if BPDU Guard is enabled and it receives a BPDU?
The port is immediately placed into the ‘err-disabled’ state and shut down.
Where should BPDU Guard be typically applied?
On access ports connected to end-user devices (where no switch should ever be connected).
What is the purpose of Root Guard?
To prevent a port from becoming a Root Port if it receives a superior BPDU, keeping the Root Bridge in a controlled location.
What state does a port enter if Root Guard detects a superior BPDU?
Root-inconsistent state (effectively blocking traffic until the superior BPDUs stop).
True or False: Root Guard should be enabled on all ports of every switch.
False. It should only be enabled on designated ports leading to switches you do not control.
What does PortFast do for a switch port?
It allows an access port to bypass the listening and learning states, moving immediately to the forwarding state.
