802.1Q Double-Tagging
A double-tagging attack is possible with 802.1Q trunking because it does not
tag frames from the native VLAN. In this attack, the attacking computer sets
up a trunk port between itself and the switch, then generates frames with two
802.1Q tags. The first tag matches the native VLAN of the trunk port, and
the second matches the VLAN of a host it wants to attack, as shown in
Figure 8-1.
Figure 8-1 VLAN Hopping by 802.1Q Double-Tagging
Attacker Target in
VLAN 200
Native
VLAN 100
Native
VLAN 100
Data
Switch A Switch B
802.1Q Data
VL 200
Data 802.1Q
VL 200
802.1Q
VL100
Switch A removes the first tag for VLAN 100, because it matches the native
VLAN for that link. It forwards the frame out all links with the same native
VLAN, including its link to Switch B. Switch B sees the frame come in with
an 802.1Q tag for VLAN 200, so it forwards it out the VLAN 200 link to the
victim computer.
To mitigate this type of attack, use the same strategies used for switch spoofing.
You can also use VLAN access control lists, called VACLs, or implement
Private VLANs.