Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Vlan Hopping attack



         I know what a vlan hopping attack is...i understand it but....Why on earth will an access port be accepting Tagged frames???? 


        It is understood that the clients or End systems must not and will not send tagged Data frames if they are on access ports??  because they dont

        have any info in what VLAN they are in... why does the switch even accept vlan tagged frames from an access port? please enlighten me :) 


Thank u


Ahmed Mukhtar

  • LAN Switching and Routing

Hi Ahmed,I think you are

Hi Ahmed,

I think you are looking at this in a different way..

Like you imagined, if the port is hard coded to be an Access Port, and done that correctly, attacker will not be able to do the VLAN Hopping..


So in an ideal world, end system connected to an access port is not expected to accept Tagged packets..  Even if someone configured the end system to accept Tagged packets(which is easily achievable) it will hear no traffic on other VLANs ( as the access port only sends out untagged packets). 

But the situation changes when you leave your ports on a setting that would allow anyone to use that port either use as a trunk or as an access port.   In this situation attacker will leverage this dynamic nature of the port and will negotiate a trunk between the switch and start hopping between VLAN looking for interesting traffic..

I guess the most important thing to understand is..  in the  attackers world, you cant expect the "end system" to behave and act like an "ethical" end system that would obey the TCP/IP protocol stack... be it a PC or a switch or some other BOX the attacker is using, it will have manipulated protocol stack that can act as a PC or a switch or what ever it wants to be.. (ex If you get a PC and change the protocol stack to send BPDUs and DTP etc..  how would the switch on the other end know it is a PC it is really talking to.. 

Hopefully this helps you to look at this in a different way.


Please don't forget to rate helpful answers..




This widget could not be displayed.