Double Tagging
.png)
Double Tagging Definition
Double tagging is a type of VLAN hopping attack where an attacker adds 2 VLAN tags to a single Ethernet frame to sneak traffic into a VLAN they’re not supposed to access. It takes advantage of how some switches handle “native” VLAN traffic on trunk links. Double tagging happens when they allow the first switch to remove one tag and forward the frame based on the remaining tag.
This isn’t a normal or intended networking feature. It happens when VLAN and trunk settings are loose or misconfigured, allowing a crafted frame to pass through network boundaries that should stay separate.
How Double Tagging Works
In a double tagging attack, a network frame is built with two VLAN tags:
- Outer tag: The outer tag matches the trunk’s native VLAN, so the first switch strips it off.
- Inner tag: The inner tag identifies the VLAN the attacker is trying to reach.
After the outer tag is stripped, the frame continues with the inner tag still attached. A downstream switch reads that tag and forwards the traffic into the target VLAN.
It’s usually one-way. Someone can inject traffic into another VLAN, but replies normally follow standard switching and routing rules and won’t reliably make their way back to the attacker.
Conditions for Double Tagging
- Trunk ports: Links that carry traffic for multiple VLANs.
- Native VLAN: The VLAN a trunk uses for untagged traffic handling.
- Permissive trunk rules: Trunks that allow more VLANs than necessary.
- Misconfigured access/trunk boundaries: Ports or trunks set up in ways that make tag handling easier to abuse.
Risks of Double Tagging
- Unauthorized VLAN access: Traffic reaches a VLAN that should be separated.
- Internal exposure: Systems and services become easier to probe from the wrong segment.
- Security boundary erosion: VLAN separation becomes less reliable as a control.
- Follow-on activity: A foothold in the wrong VLAN can support broader internal attacks.
Double Tagging Prevention and Mitigation
- Assign the native VLAN to an unused ID and avoid using it for normal user or device traffic.
- Limit each trunk to only the VLANs it actually needs to carry.
- Turn off automatic trunk negotiation so only intended trunk links can carry multiple VLANs.
- Disable unused switch ports to prevent unauthorized devices from injecting traffic into the network.
- Use additional VLAN isolation methods to reduce lateral movement within the network.
- Apply VLAN-level traffic filtering to restrict how traffic moves between segments.
Read More
FAQ
No. Double tagging is an attack technique used to cross VLAN separation. Q-in-Q is a legitimate way to stack VLAN tags so one VLAN can be carried inside another, usually in large networks.
Not necessarily. Basic packet tools can create double-tagged frames. Whether it works depends more on trunk and native VLAN configuration than on special hardware.
Networks that use trunk links with a native VLAN are more exposed when trunk settings are loose. For example, networks are more vulnerable when too many VLANs are allowed on a trunk or when trunking is enabled unnecessarily. Well-configured networks with strict VLAN rules are much harder to attack.
Sometimes, but it isn’t always easy to spot. Double tagging can blend into normal internal traffic, especially if the network isn’t inspecting VLAN tags on trunk links. Unusual VLAN tag patterns or VLAN traffic that doesn’t match normal behavior can still point to a problem. Network monitoring and switch telemetry can help, and detection is more realistic when VLAN rules are strict and trunk configuration is reviewed regularly.
Not directly. Double tagging targets wired switching behavior on trunks. Wi-Fi can still be involved if it connects to a wired network where trunk and native VLAN handling is misconfigured.
