eastbaycyber

What Is VLAN Hopping?

Glossary 5 min read
EC
East Bay Cyber Editorial Team Reviewed 2026-05-13
Definition

A VLAN, or virtual LAN, is used to separate network traffic into distinct Layer 2 segments. In normal operation, devices on one VLAN should not directly interact with devices on another VLAN unless traffic passes through a Layer 3 device such as a router or firewall.

VLAN hopping is a network attack technique that allows an attacker on one VLAN to send traffic into another VLAN they should not be able to access. It works by abusing switch behavior, VLAN tagging, or misconfiguration that weakens the isolation VLANs are meant to provide.

If you are reviewing related network security concepts, it also helps to understand what is network segmentation and what is lateral movement.

How VLAN Hopping Works

The two classic VLAN hopping techniques are switch spoofing and double tagging. Both depend heavily on switch configuration, which is why this is primarily a hardening problem.

Switch Spoofing

In a switch spoofing scenario, the attacker makes their device appear to be a switch rather than a normal endpoint.

If the connected switch port is misconfigured and allows dynamic trunk negotiation, the attacker may be able to convince the switch to establish a trunk link. Once that happens, the attacker could potentially send and receive traffic for multiple VLANs instead of being limited to a single access VLAN.

This usually depends on weak configuration such as:

  • access ports left in dynamic trunking modes
  • unnecessary trunk negotiation enabled
  • poor separation between user ports and true uplink ports

In a well-hardened network, user-facing ports should be configured as access ports and should not negotiate trunks.

Double Tagging

Double tagging abuses the way some switches handle 802.1Q VLAN tags.

The attacker crafts an Ethernet frame with two VLAN tags:

  • the outer tag matches the native VLAN on the trunk
  • the inner tag identifies the target VLAN

If the first switch strips the outer tag because it matches the native VLAN, the frame may continue across the trunk with the inner tag still present. A downstream switch may then forward the traffic into the target VLAN.

A few practical limits matter here:

  • success depends on topology and switch behavior
  • the attacker often needs access that aligns with native VLAN handling
  • this is not a universal bypass of any VLAN design
  • good switch hardening can significantly reduce the risk

Why VLAN Hopping Is Possible

VLAN hopping is not evidence that VLANs are inherently broken. The real issue is that segmentation only works when switch behavior matches the design.

The key distinction is between:

  • access ports, which should connect endpoints to one VLAN
  • trunk ports, which carry traffic for multiple VLANs between network devices

If access ports are allowed to behave like switch uplinks, or if trunk and native VLAN settings are sloppy, the security boundary gets weaker.

What Attackers Can Gain

If VLAN hopping succeeds, an attacker may be able to:

  • reach management networks
  • access server segments
  • scan devices on other VLANs
  • bypass basic internal segmentation
  • move laterally more easily
  • target systems that were assumed to be isolated

The real impact depends on what exists in the target VLAN and whether additional controls exist at Layer 3 or above.

Important Practical Limitation

VLAN hopping is a real concept, but it is sometimes overemphasized compared with more common segmentation failures.

In many enterprise environments, weak isolation is more often caused by:

  • flat routing between networks
  • permissive firewall rules
  • exposed management services
  • poor access control lists
  • over-trusted internal systems

So while VLAN hopping matters, it should be viewed as part of broader network security hygiene rather than the only segmentation risk.

When You’ll Encounter VLAN Hopping

VLAN hopping usually comes up in a few common security and infrastructure scenarios.

During Network Hardening Reviews

Teams often discuss VLAN hopping during:

  • switch baseline reviews
  • branch network hardening
  • access layer design reviews
  • segmentation validation exercises
  • switchport policy cleanup

This is where administrators confirm that endpoint-facing ports are configured strictly as access ports.

In Penetration Testing and Internal Assessments

Internal network penetration tests may look for:

  • dynamic trunk negotiation on access ports
  • misconfigured native VLANs
  • weak switchport security settings
  • inconsistent Layer 2 design assumptions

If a tester finds a port that can negotiate trunking, VLAN hopping becomes a meaningful risk.

In Legacy Switching Environments

Older or inherited switching environments are more likely to contain:

  • default settings left in place
  • inconsistent trunk standards
  • shared native VLAN use
  • weak documentation of port roles

Those conditions make it easier for segmentation assumptions to drift away from reality.

In Segmentation Assurance Discussions

VLAN hopping also appears in broader conversations about whether segmentation is actually being enforced.

That question matters especially for:

  • management VLANs
  • guest networks
  • voice networks
  • OT or ICS segments
  • administrator workstations
  • sensitive internal services

The bigger lesson is that segmentation should be tested, not just assumed.

How to Reduce the Risk

Practical defenses against VLAN hopping include:

  • disabling dynamic trunk negotiation on access ports
  • explicitly configuring user-facing ports as access ports
  • limiting trunk ports to known inter-device links
  • avoiding unnecessary native VLAN exposure
  • using an unused VLAN as the native VLAN where appropriate
  • restricting which VLANs are allowed on each trunk
  • auditing switch configurations regularly
  • validating segmentation with testing instead of relying on diagrams

If remote administrators manage network infrastructure over the internet, protecting those accounts matters too. Tools like Try 1Password → can help reduce password reuse for admin access, though they are complementary controls, not a fix for switch misconfiguration.

Bottom Line

VLAN hopping is an attack against weak Layer 2 segmentation, usually involving trunk negotiation mistakes or VLAN tagging edge cases. It is less a failure of the VLAN concept than a reminder that segmentation only works when switch ports, trunking behavior, and native VLAN handling are configured deliberately and reviewed regularly.

Last verified: 2026-05-13

Disclaimer: This article may contain affiliate links. We earn a commission on qualifying purchases at no extra cost to you.