VLAN Hopping

Could someone tell me if newer versions of IOS have fixed this issue?

It seems that a logical fix to this security exploit is to FILTER tagged frames on access ports. I know you can do this manually with ACLs, but I'm wondering if Cisco has implemented this as default behavior?

Find more posts tagged with

SAVE $250 on Your CISCO Boot Camp — Use Code "EXAM26"

Exclusively for TechExams members for Infosec Boot Camps starting before April 30, 2026

View CISCO Boot Camps

Comments

ColbyG

Why would there be tagged frames on ports that were hard coded to access?

Bert McGert

@ ColbyNA - My thoughts exactly.

networker050184

ColbyNA wrote: »

Why would there be tagged frames on ports that were hard coded to access?

Because someone is trying to double tag to gain access to another VLAN.

The issue is not fixed in any IOS that I know of. In order to "hop" VLANs the host attacker has to double tag the frame because the switch will strip the first tag. If you configure your trunks correctly you never have to worry about VLAN hopping anyway.

yuriz43

Ok, so the only way to prevent this type of attack is to assign an unused vlan as native, or disable the native vlan on your dot1q trunks.

ColbyG

networker050184 wrote: »

Because someone is trying to double tag to gain access to another VLAN.

The issue is not fixed in any IOS that I know of. In order to "hop" VLANs the host attacker has to double tag the frame because the switch will strip the first tag. If you configure your trunks correctly you never have to worry about VLAN hopping anyway.

Wow... that's pretty cool. Just did some reading about it.