VLAN hopping is a class of Layer 2 attacks that lets a malicious host on one VLAN reach another VLAN without going through a router or firewall. It bypasses every Layer 3 control you have. Most networks are still vulnerable to it because the defaults that enable it (Dynamic Trunking Protocol on every port, native VLAN of 1) are still defaults.
This article walks through the two main VLAN hopping attacks, how they actually work at the protocol level, the four-line configuration that defeats both, and the broader Layer 2 hardening pattern. If you are a network or security engineer responsible for a Cisco-based campus, treat this as the minimum-required read.
The Threat Model
VLAN hopping assumes the attacker is on the network. They are connected to a switch port (perhaps a wall jack in a conference room, perhaps a VM in a virtualized fabric) on one VLAN. From there, they want to reach a different VLAN: the server VLAN, the management VLAN, the voice VLAN.
The conventional defense is that VLANs are isolated at Layer 2. The only way out is through a Layer 3 gateway, where you presumably have ACLs and inspection. VLAN hopping defeats this assumption. The attacker reaches the target VLAN at Layer 2, before any router gets a chance to apply policy.
Two attacks dominate: switch spoofing (DTP-based) and double tagging (native VLAN-based).
Attack #1: Switch Spoofing via DTP
Cisco's Dynamic Trunking Protocol (DTP) is enabled by default on Catalyst switch ports. Its purpose is automatic trunk negotiation: if you connect two switches, DTP detects this and forms a trunk without manual configuration. The default mode is dynamic auto, which will form a trunk if the other side initiates.
The attack: the malicious host on the access port speaks DTP and proposes "I am a switch, let's negotiate a trunk." The Catalyst switch agrees (default behavior of dynamic auto when receiving a desirable proposal), and the port becomes a trunk. Now the attacker receives every VLAN that is allowed on the trunk, which by default is every VLAN that exists on the switch.
The walk-through:
- Attacker plugs into a wall jack. Default Cisco port config:
switchport mode dynamic auto, native VLAN 1. - Attacker runs a tool like Yersinia that crafts DTP packets advertising
desirablemode. - Switch sees the DTP advertisement, transitions the port to trunk mode automatically.
- Attacker now sees 802.1Q-tagged frames for every VLAN configured on the switch. Connecting to any VLAN is a matter of joining a virtual interface to that VLAN ID and getting an IP via DHCP for that subnet.
The attacker can now ARP, DHCP, send any frame, and receive any frame on any VLAN. From the network's perspective, the attacker is just another switch.
Defense: Disable DTP Everywhere
The fix is two lines per access port:
Switch(config-if)# switchport mode access
Switch(config-if)# switchport nonegotiateThe first command pins the port to access mode. The second disables DTP entirely (sends no DTP frames, ignores received DTP frames). With both in place, the port cannot become a trunk via negotiation. An attacker speaking DTP gets no response.
For trunk ports between switches:
Switch(config-if)# switchport mode trunk
Switch(config-if)# switchport trunk encapsulation dot1q
Switch(config-if)# switchport nonegotiateThe trunk is configured manually (no DTP). This is the PingLabz default for every trunk in production.
Why switchport nonegotiate matters even if you set switchport mode access: the access mode does not stop the port from sending DTP frames. The frames are visible on the wire and can leak information about the switch. nonegotiate shuts DTP off entirely.
Attack #2: Double Tagging via the Native VLAN
Native VLAN frames cross trunks untagged. An attacker on the native VLAN can craft a frame with two 802.1Q tags: an outer tag matching the native VLAN, and an inner tag matching the target VLAN. When the frame hits the first switch, the switch strips the outer tag (because it matches the native VLAN, which is sent untagged across the trunk), and then forwards the frame across the trunk with only the inner tag intact. The next switch sees a frame tagged for the target VLAN and forwards it accordingly.
The walk-through:
- Attacker is on a port in the native VLAN (default: VLAN 1).
- Attacker crafts a frame with two 802.1Q tags: outer VID = 1 (native), inner VID = 100 (target server VLAN).
- Frame hits the first switch on an access port. The switch internally tags the frame with VLAN 1 (the access port's VLAN). The frame now carries: outer (added by switch) VLAN 1 + inner attacker-added VLAN 1 + inner attacker-added VLAN 100 + payload.
- Frame is forwarded out a trunk. The switch sees the frame is in VLAN 1 (the native VLAN of the trunk), so it sends it untagged. It strips one tag, leaving: outer VLAN 1 (now appearing as the "native untagged" frame) + inner VLAN 100.
- Wait, that is not quite right. Let me re-read the actual mechanism.
The cleaner walk-through, accurate to the protocol:
- The attacker on an access port in VLAN 1 sends a frame with one 802.1Q tag inside it: tag VID = 100 (target VLAN).
- The first switch receives this frame on an access port. From the switch's perspective, the frame arrived on an access port in VLAN 1, so the switch internally classifies it as VLAN 1.
- The switch forwards the frame out an 802.1Q trunk. Because the frame is in VLAN 1 and VLAN 1 is the native VLAN of the trunk, the switch sends it untagged - meaning it does not add a new outer tag. But the attacker's inner tag (VID 100) is still there.
- The trunk peer receives the frame, sees one tag (VID 100), and treats it as a frame for VLAN 100. The frame has hopped from VLAN 1 to VLAN 100.
This attack is one-way: the attacker can send into the target VLAN, but cannot receive responses (because the response would be tagged VID 100 over the trunk, which the first switch would direct to VLAN 100, not VLAN 1 where the attacker actually is). For attacks like sending DHCP starvation, ARP spoofing, or single-direction packet injection (some exploits), one-way is enough.
Defense: Move the Native VLAN, Tag It Explicitly
Two complementary mitigations:
1. Change the native VLAN away from VLAN 1 on every trunk.
Switch(config)# vlan 999
Switch(config-vlan)# name UNUSED-NATIVE
Switch(config-vlan)# exit
Switch(config)# interface range GigabitEthernet1/0/24-26
Switch(config-if-range)# switchport trunk native vlan 999Now an attacker in VLAN 1 cannot use the double-tag trick because VLAN 1 is no longer the native VLAN. VLAN 999 is, and you have ensured no host port is in VLAN 999.
2. Force the native VLAN to be tagged on the trunk.
Switch(config)# vlan dot1q tag nativeThis global command tells the switch to add an explicit 802.1Q tag for the native VLAN frames as well, instead of sending them untagged. Now there is no untagged-native shortcut for the attack to exploit. Every frame on the trunk has a tag, and a doubly-tagged attacker frame appears as such.
Either mitigation alone is effective; both together is defense in depth.
This Is Not a Cisco-Only Issue
VLAN hopping works on any 802.1Q-compliant switch from any vendor that allows untagged native VLAN frames on trunks. The DTP variant is Cisco-specific (DTP is Cisco-proprietary), but the double-tagging variant is universal. Juniper, Arista, HP/Aruba switches all share the same native-VLAN behavior by default and require equivalent mitigations.
The Broader Layer 2 Hardening Checklist
VLAN hopping is one of about a dozen Layer 2 attacks. Here is the production hardening pattern in the order we recommend applying it:
| Control | Defeats | Where to apply |
|---|---|---|
switchport nonegotiate | Switch spoofing (DTP) | Every port |
| Native VLAN moved off VLAN 1 | Double tagging | Every trunk |
vlan dot1q tag native | Double tagging | Globally |
| Trunk allowed VLAN list pruned | Reduces blast radius if other defenses fail | Every trunk |
| BPDU Guard + PortFast | Rogue switches plugged into access ports | Every host port |
| Storm Control | Broadcast/multicast floods | Every host port |
| DHCP Snooping | Rogue DHCP servers | Globally + on host ports as untrusted |
| Dynamic ARP Inspection | ARP spoofing | On VLANs that need it; depends on DHCP Snooping |
| Port Security | MAC flooding, unauthorized devices | Host ports (with care for voice + PC) |
| VLAN 1 disabled | Defense in depth; no traffic in VLAN 1 anywhere | Everywhere |
The full configuration patterns for each are in VLAN Security Hardening: Protecting Your Layer 2 Network.
How to Test (in a Lab)
If you want to verify your switches are not vulnerable, the testing tools are well-known but only run them in a lab you own:
- Yersinia. Open-source Layer 2 attack framework. Has DTP and double-tagging modules.
- Scapy. Python framework that can craft arbitrary 802.1Q-tagged frames for the double-tagging attack.
The acceptable lab pattern: build a topology with two switches and three hosts (one in each VLAN, plus an attacker), run the attack against an unhardened configuration, observe the attacker reaching the target VLAN, apply the hardening, and confirm the attack now fails. This is part of every CCNP Security and Cisco SECURE lab.
Why VLAN Hopping Still Matters in 2026
The mitigations have been documented for over twenty years. The attacks are taught in every CCNA Security textbook. And yet network audits keep finding production trunks with the default native VLAN of 1, access ports with default DTP enabled, and management VLANs that share trunk access with everything else.
Three reasons:
- Defaults are sticky. Many switch deployments inherit configurations that pre-date hardening guides. Re-templating a deployed network is hard.
- Access is assumed. If your physical security is strong, the attacker cannot get to a wall jack. But voice phones, conference rooms, BYOD, and lab environments all undermine this assumption.
- Virtualization extends the attack surface. A VM on a vSwitch with default VLAN settings can perform the same attacks as a physical attacker. The double-tagging vector reaches into virtual networks too.
The fix is short, well-understood, and free. The PingLabz position: every trunk in 2026 should have switchport nonegotiate, a non-default native VLAN, and explicit allowed VLAN lists. If your network does not, this is the lowest-effort security improvement you can make today.
Summary
VLAN hopping is two attacks: switch spoofing via DTP and double tagging via the native VLAN. Both let an attacker bypass Layer 2 isolation and reach VLANs they should not be on. Both are defeated by short configurations: switchport nonegotiate on every port, native VLAN moved off VLAN 1, and either vlan dot1q tag native globally or aggressive native-VLAN hygiene on trunks.
If your network is running default Cisco settings, you are vulnerable. The fix takes minutes; the consequence of not fixing it is real, recurrent, and exploitable. Bookmark the VLAN cluster pillar for the full operational picture, and review the broader Layer 2 hardening checklist above on every audit.