How to test double tagging attack in lab - Page 2

rodrigoaantunes · ‎08-05-2025

Hello, I have read a little about the vlan hopping attack, especially the double tagging.

One of the conditions is that the atacker switch port has to be configured in access mode in the same VLAN as the native VLAN off the trunk port.

I tried to reproduce this attack in a lab:

Atacker in access vlan 1

Victim in access vlan 100

Trunk port with native vlan 1

I have sent a packet with outer tag 1 and inner tag 100 and it simply don't work.

What am I missing?

Enes Simnica · ‎08-05-2025

yep, exactly, most modern switches drop tagged frames on access ports, so double-tagging usually fails unless the switch is very old or misconfigured. But config still matters. Even if the patch exists, using a non-default native VLAN (not VLAN 1) on trunks is still a best practice to reduce risk and avoid confusion. So yeah, the VLAN 1 thing still matters from a security hygiene standpoint.

As for your switches (2960G, 2960S/X, 3750G, 4506), whether they're patched depends on the IOS version, not just the model. Run sh version on each and check Cisco’s bug tracker or security advisories to confirm.

hope it helps!

-Enes

more Cisco?!
more Gym?!

If this post solved your problem, kindly mark it as Accepted Solution. Much appreciated!

rodrigoaantunes · ‎08-06-2025

My 2960g are ios 12.2, 2960x 15.0, 3750g 12.2 and 4506 15.1. I tried to find something in bug tracker or security advisories about this but didn't found. Do you know in whick IOS version this got patched?

MHM Cisco World · ‎08-06-2025

more note about L2 attack VLAN hopping