Routing and VLANs are the part of networking most security practitioners handwave through — and precisely the part where enterprise-class attacks happen. This module covers the routing and segmentation topics that matter for a security practitioner: VLAN hopping, BGP hijacking, subnet design for security, and the network-layer attack surface even cloud-native environments haven’t escaped.
By the end of this module you will understand:
- How VLANs provide (and fail at) network segmentation
- The two main VLAN-hopping attack techniques and their defences
- How BGP holds the internet together — and how BGP hijacks still succeed in 2026
- What “network segmentation” actually means in a Zero Trust world
- Cloud-native equivalents (VPC, security groups, NACLs) and how they map to on-prem concepts
VLANs — virtualised broadcast domains
A VLAN (Virtual LAN) is a logical grouping of Ethernet ports that acts as a single broadcast domain. Two machines on VLAN 10 can talk to each other as if on the same physical switch, even if one is on port 3 in Delhi and the other on port 47 in Bangalore connected via trunk link.
VLAN IDs are 12 bits (1 – 4094, with 0 and 4095 reserved). The VLAN tag is added to Ethernet frames as a 4-byte 802.1Q header.
Two kinds of switch ports:
- Access port — belongs to exactly one VLAN. Hosts connect here. Frames are untagged from host perspective; the switch adds the VLAN tag on ingress, strips on egress
- Trunk port — carries multiple VLANs. Frames retain their 802.1Q tag while traversing the trunk. Switch-to-switch links, hypervisor uplinks, etc.
VLANs are a security control only if implemented correctly. A single misconfiguration and segmentation dissolves.
VLAN-hopping attack 1 — Switch Spoofing
Some older/misconfigured switches auto-negotiate trunk ports via DTP (Dynamic Trunking Protocol). An attacker connects a laptop, speaks DTP, says “I’m a switch.” The switch obligingly turns the access port into a trunk — now the attacker receives traffic from every VLAN.
Defence:
- Disable DTP globally:
switchport nonegotiateon all access ports - Explicitly configure access ports:
switchport mode access - Shut unused ports:
shutdown
VLAN-hopping attack 2 — Double Tagging
The attacker crafts a frame with two 802.1Q tags. Outer tag = attacker’s own VLAN (native VLAN of the trunk). Inner tag = target VLAN. The first switch strips the outer tag (because it matches the native VLAN) and forwards. The next switch sees the inner tag and delivers into the target VLAN. One-way injection is possible; response traffic has no return path.
Continue reading with Basic tier (₹499/month)
You've read 29% of this module. Unlock the remaining deep-dive, quiz, and every other Intermediate module.