LOGBOOK

HELP

Quiz Entry - updated: 2026.07.05

How does a VLAN hopping attack via switch spoofing work, and how do you prevent it?

The attacker configures their NIC (Network Interface Card) to act as a switch and sends DTP (Dynamic Trunking Protocol) frames to negotiate a trunk link. If the port is in dynamic auto or dynamic desirable mode, a trunk forms and the attacker gains access to all VLANs (Virtual Local Area Networks).

A rogue device adding a tag in the native VLAN to reach other VLANs across a trunk.

* VLAN hopping across a trunk via the native VLAN. — Braonle, CC BY-SA 4.0, via Wikimedia Commons. *

The attack:

  1. Attacker's device sends DTP frames to the switch port
  2. If the port is set to dynamic auto or dynamic desirable (default on many switches), it negotiates a trunk
  3. Once the trunk is established, the attacker can send and receive 802.1Q-tagged frames for any VLAN
  4. The attacker now has access to every VLAN on the switch — effectively bypassing all VLAN segmentation

Why it works: By default, many Cisco switch ports are set to dynamic auto — they'll become a trunk if the other side requests it. The attacker simply requests trunking.

Prevention:

! On ALL access ports:
Switch(config-if)# switchport mode access        ! Force access mode — never trunk
Switch(config-if)# switchport nonegotiate         ! Disable DTP entirely

! On trunk ports:
Switch(config-if)# switchport mode trunk           ! Manually set to trunk
Switch(config-if)# switchport nonegotiate          ! Disable DTP negotiation

! Disable unused ports:
Switch(config-if)# shutdown
Switch(config-if)# switchport access vlan 999      ! Assign to unused "black hole" VLAN

Tip: The single most important step: never leave ports in dynamic mode. Every port should be explicitly set to either access or trunk.

Go deeper:

  • doc VLAN hopping (Wikipedia) — covers switch-spoofing via DTP trunk negotiation and the disable-DTP / access-only-port countermeasure.

From Quiz: NETW2 / LAN Security Concepts | Updated: Jul 05, 2026