VLAN Hopping - how real is the threat?
I've been reading up on the subject of VLAN hopping and am trying to understand exactly what the impact of such a threat is and how it can be mitigated.
Assuming double-tagging from a host using 802.1q (and not switch spoofing via auto trunking) and outer tag is same as native VLAN of switch trunks:
- host sends double-tagged frames to switch with outer tag same as native VLAN
- switch strips native VLAN tag when sends across trunk link to other switch.
- other switch then sends frame to the target VLAN host - VLAN has been 'hopped'
Now if the above happened surely the only thing that can be done is a unidirectional attack i.e. DoS as theres no way for any communication to happen back from the target host (as that is not double tagging) - is this correct? I guess you'd need at least 2 switches to make this happen in any case so that the stripped frame crosses the trunk link?
Also using standard best practices of setting an unused VLAN as the native VLAN on trunk links, or tagging all dot1q vlans (vlan dot1q tag native) would prevent this from happening in the first place.
Finally, if the switch ports were configured as 'access' ports only (switchport mode access) and trunking was off (switchport nonegotiate) if that port received a tagged frame would it drop it i.e. switchport access vlan 10 is configured. User sends double tagged frame with outer frame as VLAN 1 - is this dropped immediately?
Appreciate any comments/thoughts