Virtual LANs (VLANs) logically separate broadcast domains on a single physical switch. Understanding how switches handle tagged and untagged frames is critical for both designing secure topologies and preventing Layer 2 bypass attacks.
Access ports strip tags and send untagged frames to endpoints. Trunk ports carry multiple VLANs by inserting a 4-byte 802.1Q tag into the Ethernet frame header, allowing switches to maintain separation across links.
💡 Pro-tip: Always change the Native VLAN on trunk ports from the default VLAN 1 to an unused, dedicated VLAN. This prevents VLAN hopping attacks that exploit untagged traffic.
This moves untagged trunk traffic to VLAN 999, isolating it from user data and mitigating double-tagging attacks.
In a double-tagging attack, an attacker sends a frame with two 802.1Q tags. The first switch strips the outer tag (matching the native VLAN) and forwards it. The second switch reads the inner tag and routes the frame into the target VLAN, bypassing ACLs.
⚠️ Double-tagging attacks are unidirectional. The attacker cannot receive return traffic, but they can successfully inject malicious packets into isolated VLANs (e.g., spoofing syslog or DNS).
| Port Type | Frame State | Use Case |
|---|---|---|
| Access | Untagged | Endpoints / PCs |
| Trunk | Tagged (802.1Q) | Switch-to-Switch / Router |
| Voice | Tagged + Untagged | IP Phones + PCs |
Verify exercises to earn ★ 200 XP and unlock next lab level.