Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

VLAN Attacks

Hi there,

There are 2 common vlan attacks:

1. switch spoofing

2. double tagging

My question is: when the switch gets a double tagged frame doesn't it consider the frame an error and drops it?

Even more, does the Switch permit tagged frames as native vlan to enter an access port?

Let's assume the double frame gets to the end user in another vlan. The response frame can't get to the cracker in another vlan (native vlan) only if it is routed. So from my point of view this is only a theoretical attack. Am I right?

Has anyone tested it in a lab using real equipments?

Thank you for clarification.

New Member

Re: VLAN Attacks

Hi Dear,

first the double taging attack takes place on trunk links with native vlan 1, of ports that trunk mode is auto so an atacker can use tools to understand the trunk negotiation and establish trunk connection to the switch. when the switch receives double tagged frame it does only check the first tag encapsulation and the fram is considered valid as long as it's length is withen the allowed length.

double tagged frames attack is UNIDIRECTIONAL, so there is no reply back received, but many trojan and worms can only take one packet as it's too small in size so we don't need any reply.

Let me know if u need any further help.


New Member

Re: VLAN Attacks

To compliment what Mohammed has already said, a double tag and switch spoofing attacks are REAL attacks. For double tagging, the port facing the malicious user does not need to be in its default state of VLAN 1 as native VLAN and using DTP (Dynamic Trunking Protocol). Instead, as long as DTP is enabled, any VLAN can be used as the native VLAN. The way it works is that a user sends a packet with two native VLAN headers. The first must match that of the Native VLAN, which the switch will remove. After it is removed the switch will exman the other header and send the frame into that VLAN. I hope this better explains what you are asking.

**This attack is only possible when using 802.1Q and native VLANs without tagging.

Here is a link with further information:

Hope this helps,


New Member

Re: VLAN Attacks

Everything is clear now. I've already tested the attack using Mausezahn and it works as expected.

Thank you