What Is Switch Spoofing, and How to Prevent It in SMB Networks

Switch spoofing is an often under-recognized threat to small and medium-sized business (SMB) networks. By imitating a legitimate network switch on your network, attackers can gain access to sensitive infrastructure and data and further other exploits through a ‘VLAN hopping’ attack.

This practical guide explains how to prevent switch spoofing for IT administrators and managed service providers (MSPs) responsible for the operation and security of SMB networks. It covers hardening interfaces, validating with automated and repeatable checks, and producing audit-ready readiness evidence.

What is switch spoofing?

Switch spoofing is a common name for a VLAN hopping attack. This is when a hacker connects a device to your network that impersonates a real switch, and tricks a vulnerable switch (which has an overly-permissive configuration) on your network into creating a trunk link with it. This trunk link carries data from other VLANs, so the attacker is able to bypass VLAN isolation and gain access to data.

VLANs (virtual LANs) are network partitions that let you keep different devices separate from each other while connected to the same physical networking infrastructure (known as network segmentation). These are commonly deployed in an organization to isolate different networks without requiring parallel infrastructure, and for security. For example, public Wi-Fi may share physical links and an external internet connection with internal IT resources, but be placed on a separate VLAN to prevent users from being able to access private assets.

Attackers can obtain access to your network infrastructure in a number of ways: for example, an exposed Ethernet port in a public place, unsecured ports in an office environment, or using compromised devices and endpoints.

What are the methods of VLAN hopping?

In addition to switch spoofing, double tagging is another method of VLAN hopping, in which the attacker attaches two VLAN tags (inner and outer) to the same Ethernet frame, the distinct unit used to transmit data.

When the first tag is discarded by the trunk port – by design when the tag matches the native VLAN – and the frame is forwarded, other switches will think it originated from the second VLAN. While this method is unidirectional (traffic won’t make it back), it can still be used to craft attacks.

How can VLAN hopping be prevented?

By following the recommendations in this article, you’ll implement the following best practices to help you mitigate VLAN hopping attacks:

What you need to prevent switch spoofing

You’ll need access to the following information and tools to mitigate VLAN attacks through switch spoofing on your SMB network:

• Network switch models and OS/firmware versions that support disabling dynamic trunking protocol (DTP) or their equivalent auto-trunking technologies
• A network plan (new or existing) for user VLANs, management VLANs, as well as an unused native VLAN ID
• Change window and out-of-band access for rollback if something goes wrong
• A central documentation platform to store configuration backups, validation screenshots, and monthly evidence summaries

Switch monitoring software can also be deployed for supported devices.

Recommendation 1: Force access mode on edge ports

The primary method for preventing VLAN hopping through switch spoofing is to set ports to not negotiate trunk links automatically. 

• Set ports to edge mode: Set all user-facing ports  (also known as edge ports)  to access mode so that they cannot be used to negotiate new trunks.
• Configure ports correctly for their purpose: Ensure that the correct VLAN is set for each port. Set an unused, and otherwise disabled, VLAN ID as the native VLAN, instead of the default VLAN 1, to prevent hopping via double-tagging.
• Document configurations: Document all ports and VLANS in your centralized IT documentation so that the expected behavior of a port can be looked up without having to log into management interfaces.

Recommendation 2: Lock down trunks

Ports that need to be able to negotiate trunks should be locked down, as default configurations may allow behavior that allows switch spoofing.

• Manually configure trunk ports: Disable DTP on any remaining trunk-capable interfaces, and explicitly set allowed VLANs rather than being permissive by default.
• Lock down native VLAN: If the native VLAN is used, ensure user traffic is not permitted.
• Document everything: As part of your documentation, include why VLANs are permitted on different interfaces, and revise these when necessary to limit access where it is only required.

Recommendation 3: Enable first-hop security

Port security features should be enabled on all edge ports, with MAC restrictions to prevent unauthorized devices. DHCP snooping and ARP inspection should also be deployed to validate traffic and mitigate common Layer 2 (the data link layer in the OSI networking model) attacks.

Vendor-specific security technologies like Cisco BPDU Guard can also be deployed to lock down networks and prevent rogue devices connecting from edge ports.

Recommendation 4: Control identity at the edge

Network access control (NAC) best practices should be followed to separate networks, and ensure trusted, guest, and anomalous devices are clearly identified and separated. Where practical, deploy 802.1X to authenticate network access, with MAC authentication bypass (MAB) for devices that do not support 802.1X.

Recommendation 5: Validate that your protections work

You can test the effectiveness of your switch spoofing prevention measures by mimicking real-world attacks. Connect an unprivileged laptop and attempt to send DTP or tagged frames to verify that no VLAN escalation occurs. Data captured during these tests can be used as evidence of effectiveness.

Method 6: Monitor, review, and revise anti-spoofing measures and outcomes

As part of your IT monitoring process, you should:

• Protect against configuration drift: Capture and store configurations and compare them with standards to ensure there is no configuration drift or tampering.
• Make sure technicians are notified immediately: Configure notifications for repeated port security violations and integrate handling network security issues with your incident response playbook.

Regularly review the collected data to assess the effectiveness of your switch spoofing protections:

• Review regularly: Review exception lists and port mappings to ensure exposure is reduced by ensuring no trunk ports are available at the edge, and that exceptions for legacy devices are retired when they are no longer needed.
• Revise documentation when configurations or processes change: Document outcomes and the resulting configuration changes thoroughly to assist with troubleshooting and prove compliance.

NinjaOne combines management, enforcement, monitoring, and automation to help detect and mitigate network intrusion

Ensuring consistent network configurations and gapless monitoring that quickly identifies rogue actors on your networks is a challenge that scales with your infrastructure.

NinjaOne helps you meet the ever-changing cybersecurity landscape with a flexible toolchain that unifies remote monitoring and management (RMM) for endpoints with network monitoring and management (NMS), while also integrating with security tools like CrowdStrike and SentinelOne.

You can capture and compare network device configurations and logs to ensure consistency and prevent drift, and send alerts when attempts to create new trunks are detected. Summaries can be formatted and stored in built-in NinjaOne documentation tools for review and for use as compliance evidence.

VLAN hopping and other network intrusion and lateral movement attempts can also be quickly detected by AI-powered cybersecurity platforms, leveraging NinjaOne to create tickets and immediately alert engineers.