During our Cisco CCNP BCMSN certification exam preparation, we've seen how intruders can use seemingly innocent ARP and DHCP processes can be used to harm our network, so it shouldn't come as any surprise that Dot1q tagging can be used against us as well!

One form of VLAN Hopping is double tagging, so named because the intruder will transmit frames that are "double tagged" with two separate VLAN IDs. As you'll see in our example, certain circumstances must exist for a double tagging attack to be successful:

The intruder's host device must be attached to an access port.

The VLAN used by that access port must be the native VLAN.

The term "native VLAN" tips us off to the third requirement - dot1q must be the trunking protocol in use, since ISL doesn't use the native VLAN.

When the rogue host transmits a frame, that frame will have two tags. One will indicate native VLAN membership, and the second will be the number of the VLAN under attack. In this example, we'll assume that to be VLAN 100, with the native VLAN set as VLAN 25.

The trunk receiving this double-tagged frame will see the tag for VLAN 25, and since that's the native VLAN, that tag will be removed and then transmitted across the trunk - but the tag for VLAN 100 is still there!

When the switch on the other side of the trunk gets that frame, it sees the tag for VLAN 100 and forwards the frame to ports in that VLAN. The rogue now has successfully fooled the switches and has hopped from one VLAN to another.

This is why you often see the native VLAN of a network set to a VLAN that no host on the network is a member of - that stops this version of VLAN Hopping right in its tracks.

Notice that I said "this version". We’ll take a look at another VLAN Hopping tactic in the next installation of my CIsco CCNP BCMSN certification exam tutorial series!