Network segmentation is one of the most frequently cited controls in enterprise security programmes and one of the most frequently misconfigured. A VLAN exists in your switch config; that doesn't mean it's effective. Here's how we test it and what we find.
VLAN Hopping via Double Tagging
On switches where the native VLAN is misconfigured or where DTP is enabled, double-tagged 802.1Q frames can cause traffic to be forwarded to VLANs the sender has no business accessing. This requires adjacency to a trunk port — but in environments where workstations are on trunk ports (common in older deployments), it's straightforward.
Dual-Homed Hosts as Pivot Points
The most reliable segmentation bypass we find isn't a protocol attack — it's a host with two NICs. Printers, servers, management appliances, and OT gateways routinely sit in two or more network segments. Compromising one gives direct routed access to the other, bypassing every firewall rule between them.
Misconfigured ACLs
ACLs written as permit ip 10.0.0.0/8 any rather than targeting specific subnets and ports defeat segmentation entirely. We test by attempting connections on non-standard ports and with unusual source addresses that should be blocked by correct ACLs.
Routing Table Abuse
In environments with dynamic routing protocols like OSPF or EIGRP, a compromised host that can inject routing advertisements may be able to redirect traffic through attacker-controlled infrastructure — effectively becoming a man-in-the-middle for segments it was never supposed to reach.