VLAN Hopping

VLAN Hopping is an exploitation method used to attack a network with multiple VLANs. It is an attack that involves an attacking system to deploy packets. These packets have a destination of a system on a separate VLAN which would, in normal circumstances, not be accessible by the attacker. VLAN Hopping attacks are primarily conducted within the Dynamic Trunking Protocol (DTP). Often, VLAN Hopping attacks are directed at the trunking encapsulation protocol (802.1q or ISL).

Mitigation – The mitigation of VLAN hopping attacks requires a number of changes to the VLAN configuration. Start by using dedicated VLAN IDs for all trunking ports on a switch, and move all interfaces out of VLAN 1. In addition, it is advisable to disable any unused switch ports and move them to a VLAN that is not being used. Explicitly disable DTP on all user ports to set them to non-trunking mode and/or force it to be an access port.

To do this on a cisco switch, use 

  • switchport nonegotiate and
  • switchport mode access


  • BackTrack                               (BackTrack 5 R3 Released! Aug 13th, 2012)
  • Yersinia
  • vconfig
  • Wireshark
  • Nmap

Connect to you network and obtain a network address (DHCP)

dhclient eth0


I’m attached to the network

Launch wireshark and check the network for DTP (Dynamic Trunking Protocol) frames and CDP (Cisco Discovery Protocol) frames.


As above both CDP and DTP frames present.

Launch Yersinia and point  at DTP

yersinia -I


DTP frames appear in Yersinia –  launch the attack to configure the port for trunking.


Before launching Yersinia I could only see traffic from my own network (, now I can start to see traffic from hosts on another network (192.168.2.X).


As per the 802.1Q information in the frame I can see that the other network is on VLAN 2.


Create a new interface in the new network and configure vconfig to tag the frames for VLAN2.

vconfig add eth0 2
ifconfig eth0.2 up
ifconfig eth0.2

VLANPing (ICMP) the host –  look at it’s ports with Nmap.

ping -c 2