VLANs segment your network into broadcast domains, but segmentation alone is not security. A determined attacker on a single access port can exploit default switch behavior to hop across VLANs, spoof DHCP servers, poison ARP tables, and flood the switch into hub mode. Every one of these attacks targets Layer 2 defaults that ship enabled on new Catalyst switches.
This article covers the Layer 2 attack vectors that target VLANs and the IOS XE configuration to neutralize each one. By the end, you will have a complete security hardening checklist for your access-layer switches.
Attack 1: VLAN Hopping via Switch Spoofing
How It Works
By default, Catalyst switch ports run DTP (Dynamic Trunking Protocol) in dynamic auto mode. If an attacker connects a device that sends DTP negotiation frames claiming to be a switch, the port transitions to trunk mode. Once it is a trunk, the attacker's device can send 802.1Q-tagged frames for any VLAN — giving it access to VLANs it was never supposed to reach.
Mitigation
Explicitly set every access port to switchport mode access and disable DTP with switchport nonegotiate:
ACC-SW1(config)# interface range GigabitEthernet1/0/1-22
ACC-SW1(config-if-range)# switchport mode access
ACC-SW1(config-if-range)# switchport nonegotiate
ACC-SW1(config-if-range)# exit
On trunk ports, explicitly set them to trunk mode (not dynamic) and also disable negotiation:
ACC-SW1(config)# interface range GigabitEthernet1/0/23-24
ACC-SW1(config-if-range)# switchport mode trunk
ACC-SW1(config-if-range)# switchport nonegotiate
ACC-SW1(config-if-range)# exit
With switchport mode access, the port will never negotiate to become a trunk — even if it receives DTP frames. The switchport nonegotiate command stops the port from sending DTP frames entirely. For the full DTP deep dive, see DTP: How It Works and Why You Should Disable It.
Attack 2: VLAN Hopping via Double Tagging
How It Works
Double-tagging exploits the native VLAN. The attacker sends a frame with two 802.1Q tags: the outer tag matches the native VLAN, and the inner tag is the target VLAN (e.g., VLAN 20). When the frame hits the first switch, the outer tag is stripped (because it matches the native VLAN) and the inner tag survives. The frame is then forwarded across the trunk to the next switch, which sees the inner VLAN 20 tag and delivers the frame to a port in VLAN 20.
This attack is one-directional (the attacker can send but not receive replies) and only works if the native VLAN on the trunk matches the attacker's access VLAN.
Mitigation
Three commands eliminate the double-tagging vector:
1. Change the native VLAN to an unused VLAN:
ACC-SW1(config)# interface range GigabitEthernet1/0/23-24
ACC-SW1(config-if-range)# switchport trunk native vlan 99
ACC-SW1(config-if-range)# exit
VLAN 99 is not assigned to any access port, so no attacker's frames will match the native VLAN. See Native VLAN Configuration and Security for the full walkthrough.
2. Tag the native VLAN on trunks (optional, strongest defense):
CORE-SW1(config)# vlan dot1q tag native
This forces the switch to tag even the native VLAN's frames with 802.1Q headers on trunk ports. A double-tagged frame will now have its outer tag identified and processed correctly instead of being silently stripped.
3. Prune the native VLAN from user trunks if possible.
Attack 3: DHCP Spoofing / Rogue DHCP Server
How It Works
An attacker plugs in a rogue DHCP server on an access port. When legitimate clients send DHCP Discover broadcasts, the rogue server responds with a DHCP Offer that includes a malicious default gateway (the attacker's IP). All client traffic now routes through the attacker — a classic man-in-the-middle.
Mitigation: DHCP Snooping
DHCP snooping builds a binding table of legitimate DHCP assignments and blocks DHCP server messages (Offer, Ack) on untrusted ports.
ACC-SW1(config)# ip dhcp snooping
ACC-SW1(config)# ip dhcp snooping vlan 10,20,40,50
ACC-SW1(config)# no ip dhcp snooping information option
By default, all ports are untrusted (they can send DHCP Discover but not Offer/Ack). Mark the uplink to the distribution switch as trusted — this is where legitimate DHCP replies come from:
ACC-SW1(config)# interface range GigabitEthernet1/0/23-24
ACC-SW1(config-if-range)# ip dhcp snooping trust
ACC-SW1(config-if-range)# exit
Access ports remain untrusted. If a rogue DHCP server appears on Gi1/0/5, its DHCP Offer frames are dropped by the switch before they reach any client.
The no ip dhcp snooping information option command disables Option 82 insertion, which can cause issues if your DHCP server does not expect it. Include this unless you specifically use Option 82 for DHCP relay identification.
Verify DHCP Snooping
ACC-SW1# show ip dhcp snooping
Switch DHCP snooping is enabled
DHCP snooping is configured on following VLANs:
10,20,40,50
...
Interface Trusted Allow option Rate limit
----------------------- ------- ------------ ----------
GigabitEthernet1/0/23 yes yes unlimited
GigabitEthernet1/0/24 yes yes unlimited
ACC-SW1# show ip dhcp snooping binding
MacAddress IpAddress Lease(sec) Type VLAN Interface
------------------ --------------- ---------- ------------- ---- ----------
0050.7966.6800 10.10.10.50 86400 dhcp-snooping 10 Gi1/0/1
0050.7966.6801 10.10.10.51 86400 dhcp-snooping 10 Gi1/0/2
0023.04ee.be01 10.10.40.11 86400 dhcp-snooping 40 Gi1/0/1
The binding table shows every legitimate DHCP assignment — MAC, IP, VLAN, and port.
Attack 4: ARP Spoofing / ARP Poisoning
How It Works
An attacker sends gratuitous ARP replies claiming that the default gateway's IP address maps to the attacker's MAC. Victim hosts update their ARP tables and start sending traffic to the attacker instead of the real gateway.
Mitigation: Dynamic ARP Inspection (DAI)
DAI uses the DHCP snooping binding table to validate ARP packets. It drops ARP replies where the IP-to-MAC mapping does not match a known DHCP binding.
Prerequisite: DHCP snooping must be enabled first (DAI depends on its binding table).
ACC-SW1(config)# ip arp inspection vlan 10,20,40,50
Trust the uplink ports (same as DHCP snooping):
ACC-SW1(config)# interface range GigabitEthernet1/0/23-24
ACC-SW1(config-if-range)# ip arp inspection trust
ACC-SW1(config-if-range)# exit
For devices with static IPs that do not appear in the DHCP snooping table (servers, printers), create ARP ACLs:
ACC-SW1(config)# arp access-list STATIC-ARP
ACC-SW1(config-arp-nacl)# permit ip host 10.10.10.100 mac host 0050.7966.68aa
ACC-SW1(config-arp-nacl)# exit
ACC-SW1(config)# ip arp inspection filter STATIC-ARP vlan 10
Verify DAI
ACC-SW1# show ip arp inspection vlan 10
Source Mac Validation : Disabled
Destination Mac Validation : Disabled
IP Address Validation : Disabled
Vlan Configuration Operation ACL Match Static ACL
---- ------------- --------- --------- ----------
10 Enabled Active STATIC-ARP No
Vlan ACL Logging DHCP Logging Probe Logging
---- ----------- ------------ -------------
10 Deny Deny Off
Attack 5: MAC Flooding / CAM Table Overflow
How It Works
An attacker sends thousands of frames with random source MACs, filling the switch's MAC address table. When the table is full, the switch cannot learn new addresses and falls back to flooding all unicast traffic out every port in the VLAN — effectively turning the switch into a hub. The attacker can now sniff all traffic.
Mitigation: Port Security
ACC-SW1(config)# interface range GigabitEthernet1/0/1-22
ACC-SW1(config-if-range)# switchport port-security
ACC-SW1(config-if-range)# switchport port-security maximum 3
ACC-SW1(config-if-range)# switchport port-security violation restrict
ACC-SW1(config-if-range)# switchport port-security aging time 60
ACC-SW1(config-if-range)# switchport port-security aging type inactivity
ACC-SW1(config-if-range)# exit
This limits each port to 3 MAC addresses (sufficient for a PC + phone + one additional device). The restrict violation mode drops frames from additional MACs and logs the event without shutting the port down. Use shutdown mode for stricter enforcement — the port will err-disable if a violation occurs.
Verify Port Security
ACC-SW1# show port-security interface GigabitEthernet1/0/1
Port Security : Enabled
Port Status : Secure-up
Violation Mode : Restrict
Aging Time : 60 mins
Aging Type : Inactivity
Maximum MAC Addresses : 3
Total MAC Addresses : 2
Configured MAC Addresses : 0
Sticky MAC Addresses : 0
Last Source Address:Vlan : 0050.7966.6800:10
Security Violation Count : 0
Attack 6: Broadcast Storms
How It Works
A Layer 2 loop or a malfunctioning NIC can generate a broadcast storm that saturates all links in the VLAN, consuming bandwidth and overwhelming device CPUs.
Mitigation: Storm Control
ACC-SW1(config)# interface range GigabitEthernet1/0/1-22
ACC-SW1(config-if-range)# storm-control broadcast level 20.00
ACC-SW1(config-if-range)# storm-control multicast level 20.00
ACC-SW1(config-if-range)# storm-control action shutdown
ACC-SW1(config-if-range)# exit
This err-disables the port if broadcast or multicast traffic exceeds 20% of the port's bandwidth. Adjust the threshold based on your environment — 20% is a reasonable starting point for access ports.
Unused Port Hardening
Every unused port is an attack surface. Shut them down and assign them to the parking VLAN:
ACC-SW1(config)# interface range GigabitEthernet1/0/13-22
ACC-SW1(config-if-range)# switchport mode access
ACC-SW1(config-if-range)# switchport access vlan 999
ACC-SW1(config-if-range)# switchport nonegotiate
ACC-SW1(config-if-range)# shutdown
ACC-SW1(config-if-range)# exit
VLAN 999 has no SVI, no routing, and no connectivity. Even if someone physically connects to a shutdown port and re-enables it, they land in an isolated black hole.
IP Source Guard (Optional, Strongest Layer)
IP Source Guard combines DHCP snooping bindings with ingress filtering to drop any packet whose source IP does not match the DHCP binding for that port:
ACC-SW1(config)# interface range GigabitEthernet1/0/1-12
ACC-SW1(config-if-range)# ip verify source
ACC-SW1(config-if-range)# exit
This prevents IP spoofing at the access layer. It requires DHCP snooping to be enabled and a valid binding to exist for each port.
Layer 2 Security Hardening Checklist
Apply these to every access-layer switch in the network:
| Control | Command | Scope |
|---|---|---|
| Disable DTP on access ports | switchport mode access + switchport nonegotiate |
All access ports |
| Disable DTP on trunk ports | switchport mode trunk + switchport nonegotiate |
All trunk ports |
| Change native VLAN | switchport trunk native vlan 99 |
All trunks |
| Shut down unused ports | shutdown + switchport access vlan 999 |
All unused ports |
| Enable DHCP snooping | ip dhcp snooping + ip dhcp snooping vlan |
Global + per VLAN |
| Trust uplinks for DHCP | ip dhcp snooping trust |
Trunk/uplink ports only |
| Enable DAI | ip arp inspection vlan |
Per VLAN |
| Trust uplinks for DAI | ip arp inspection trust |
Trunk/uplink ports only |
| Port security | switchport port-security |
Access ports |
| Storm control | storm-control broadcast level |
Access ports |
| IP Source Guard | ip verify source |
Access ports (optional) |
| 802.1X | See 802.1X series | Access ports (recommended) |
For the strongest access-layer security, combine port security with 802.1X authentication. The 802.1X series covers dynamic VLAN assignment, guest VLANs, and Cisco ISE integration.
Key Takeaways
- VLAN segmentation is not security by itself. Layer 2 attacks exploit default switch behavior that must be explicitly disabled.
- Disable DTP on every port (
switchport nonegotiate) and change the native VLAN to an unused VLAN (99) to prevent both forms of VLAN hopping. - DHCP snooping + DAI together stop rogue DHCP servers and ARP spoofing. They require trusting only uplink ports — all access ports remain untrusted.
- Port security limits the number of MACs per port, preventing CAM table overflow attacks.
- Unused ports should be shut down and parked in VLAN 999 — every open port is an attack surface.
For the full campus deployment strategy, see VLAN Design for Campus Networks: From Access to Core.