Def­i­n­i­tions:

• A trunk con­nec­tion is a con­nec­tion between two switches.

Tools

• Yersinia is a lay­er 2 mod­i­fi­ca­tion framework.
• VoIPHop­per is a sim­ple tool which can sniff VoIP traf­fic and out­put the VLAN ID from the VoIP net­work:
  voiphopper -c 0 -i eth0

Enumerate existing VLANs

1. Start Yersinia
   yersinia -I
2. Press g
3. Select DTP
4. Press 5 to see the status
5. Press g
6. Select 802.1Q
7. The list will update with the detect­ed VLAN IDs.

Create VLAN interface

If you want to com­mu­ni­cate with­in a VLAN, con­fig­ure your net­work inter­face as follows:

1. modprobe 8021q
2. vconfig add eth0 100

A new eth­er­net device was cre­at­ed with VLAN id 100 which can be con­fig­ured nor­mal­ly. For exam­ple, request a IP address with

• dhclient eth0.100

You can now use the IP address nor­mal­ly. All traf­fic through this inter­face will use the VLAN ID you set. To remove it, use

1. vconfig rem eth0.100

Notes

• Check if there are VoIP VLANs and try them first. Often, e.g. in Cis­co net­works, VoIP VLANs are open so that each VoIP device can con­nect to the net­work directly.
  1. Start Wireshark/tcpdump
  2. Fil­ter for the CDP Cis­co Dis­cov­ery Protocol
  3. Look into the VoIP VLAN Reply field, which con­tains the VLAN ID for the VoIP network.
• There are only 4096 VLAN IDs pos­si­ble. There­fore, you could also brute-force the VLAN ID by cre­at­ing eth0.XXXX in a loop, request­ing an IP or set­ting one and then try to ping/connect to your tar­get which should be reach­able with­in the tar­get VLAN you want access to.