Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
403
Views
1
Helpful
17
Replies

How to test double tagging attack in lab

rodrigoaantunes
Level 1
Level 1

‎08-05-2025 10:05 AM

Hello, I have read a little about the vlan hopping attack, especially the double tagging.

One of the conditions is that the atacker switch port has to be configured in access mode in the same VLAN as the native VLAN off the trunk port.

I tried to reproduce this attack in a lab:

Atacker in access vlan 1

Victim in access vlan 100

Trunk port with native vlan 1

I have sent a packet with outer tag 1 and inner tag 100 and it simply don't work.

What am I missing?

 

Labels:
0 Helpful
17 Replies 17

MHM Cisco World
VIP
VIP

‎08-05-2025 10:08 AM

How you add two vlan tag?

MHM

0 Helpful

rodrigoaantunes
Level 1
Level 1
In response to MHM Cisco World

‎08-05-2025 10:11 AM

I did with yersinia and scapy, same result. 

MHM Cisco World
VIP
VIP
In response to rodrigoaantunes

‎08-05-2025 10:18 AM

Make attacker have IP from vlan1 subnet 

Then add static arp 

Then start attack by ping 10^6 times 

MHM

0 Helpful

MHM Cisco World
VIP
VIP
In response to MHM Cisco World

‎08-05-2025 10:21 AM

Remember this attack is one way so you dont need to get ping reply but victim cpu is busy now with 10^6 ping you send 

MHM

0 Helpful

rodrigoaantunes
Level 1
Level 1
In response to MHM Cisco World

‎08-05-2025 10:24 AM

The other user said that modern switches drops tagged frames in access ports, so this attack wouldn't work no matter the vlan configuration right?

0 Helpful

MHM Cisco World
VIP
VIP
In response to rodrigoaantunes

‎08-05-2025 10:28 AM - edited ‎08-05-2025 10:29 AM

No it accept tag (tag must same as vlan assign to port) and untag frame

I think what make your lab failed is static arp' the attacker can not use arp ask mac of victim' as I mention it only one way traffic 

MHM

0 Helpful

MHM Cisco World
VIP
VIP
In response to MHM Cisco World

‎08-05-2025 10:33 AM

I get your point about tag.

You connect attacker with access not trunk port.

No friend you need to make this port trunk 

And port to victim access port.

And Yes it true access port in SW can not accpet tag frame except case it config with voice vlan.

MHM

0 Helpful

rodrigoaantunes
Level 1
Level 1
In response to MHM Cisco World

‎08-05-2025 10:40 AM

But if the port of the attacker must be trunk whats the point in doing all of this? The attacker could simple set the vlan he wants on the interface configuration.

0 Helpful

MHM Cisco World
VIP
VIP
In response to rodrigoaantunes

‎08-05-2025 10:44 AM

Do steps below 

1- victim use vlan 100 connect to access port to SW2

2- trunk between SW use vlan1 as native 

3- attacks use vlan 200 connect via trunk to SW1

4- ping from victim to broadcast of subnet 100' this make SW1 abd SW2 know it mac address 

5- add static arp of victim to attacker 

6- ping 10^6 times and enjoy 

MHM

0 Helpful

rodrigoaantunes
Level 1
Level 1
In response to MHM Cisco World

‎08-06-2025 04:53 AM

But if the port of the attacker must be trunk whats the point in doing all of this? The attacker could simple set the vlan he wants on the interface configuration.

0 Helpful

MHM Cisco World
VIP
VIP
In response to rodrigoaantunes

‎08-06-2025 04:56 AM

Attacker can reach victim without any L3 device!!!

This make attackers pass many acl you config under SVI. 

MHM

0 Helpful

Enes Simnica
Level 5
Level 5

‎08-05-2025 10:11 AM

hello @rodrigoaantunes U're on the right track with ur VLAN hopping lab, but the reason your double-tagging attack isn't working likely comes down to how modern switches handle tagged frames on access ports. Meaning that in theory, when u send a double-tagged packet  from an access port, the switch should strip the outer tag and forward the packet onto the trunk, where the inner tag gets processed, potentially delivering it to the victim in VLAN 100.

But in practice, modern switches drop tagged frames received on access ports, even if the tag matches the native VLAN. The attack relies on the switch accepting the outer tag and stripping it, which typically only happens on trunk ports. This behavior has been patched for years, so unless you're using older gear (like a Cisco 2950), the attack won't work.

and if u wanna check some more great stuff, i will add some links for u:

hope it helps, and have fun !!!

 

-Enes

more Cisco?!
more Gym?!



If this post solved your problem, kindly mark it as Accepted Solution. Much appreciated!
0 Helpful

rodrigoaantunes
Level 1
Level 1
In response to Enes Simnica

‎08-05-2025 10:22 AM

"This behavior has been patched for years." This is probably the answer!!

So this attack can't happen in modern switches, no matter the vlan configuration? The native vlan1 recomendation dont matter in this case?

I tested this with a 2960s switch, but I have a lot of the old 2960g switches, as well as some 3750g, 2960x and a 4506.

How can I know if all these switches are patched against this? 

0 Helpful
Customers Also Viewed These Support Documents