Which VLAN Am I On?

Anyone doing penetration tests for PCI these days is probably aware of the requirement for segmentation scanning. Essentially the standard asks that you confirm the network boundary from various source networks. After having lots of conversations with clients where someone said "oh yeah our ACLs don't let any traffic between VLAN a and b" I've come to believe that this is a worthwhile practice for lots of environments. But I digress.

One situation I ran into recently required scanning from a single trunked port. This can be accomplished by creating a sub interface and assigning it to the target VLAN.

ip link add link eth1 name eth1.22 type vlan id 22

You can now configure the interface per usual.

ifconfig eth1.22 inet netmask

One thing I ran into is making sure the original interface was assigned to the VLAN I expected it to be. To take a look at the Cisco CDP packet with tcpdump.

tcpdump -nn -v -i eth0 -s 1500 -c 1 'ether[20:2] == 0x2000'