vlanrecon
Layer 2 VLAN security assessment — Cisco IOS / Arista EOS / Juniper Junos
v1.1.1
Linux
Quick Start
Install via jcli (recommended)
jcli install vlanreconIf you don't have jcli yet, install it first with
curl -fsSL https://cli.johlem.net/tools/jcli/install.sh | bash.
Audit a switch config
# Cisco IOS / Arista EOS — auto-detected from a `show running-config` dump
vlanrecon analyze switch_config.txt
vlanrecon assess switch_config.txt --baseline hardened --output markdown
vlanrecon topology switch_config.txt
vlanrecon check-config switch_config.txt --output json --strict
# Juniper Junos — pass the `show | display set` form
vlanrecon --vendor junos analyze junos_set_config.txtWhat it does
vlanrecon is an offline Layer 2 switch-config security analyzer. Feed it a switch config and it surfaces VLAN, STP, DTP, port-security, CDP/LLDP, and VTP misconfigurations against IEEE 802.1Q / 802.1D and vendor best practices. No packets are sent; no network access is required.
- Multi-vendor. Cisco IOS and Arista EOS share a parser; Junos `show | display set` has its own. Vendor is auto-detected; override with
--vendor. - Worst-axis aggregate risk. One CRITICAL finding bubbles up immediately — the additive 0–100 score doesn't dilute high-severity findings.
- CI-friendly.
--strictexits non-zero on LOW+;--output json/csv/markdownfor pipelines and IR write-ups. - Operator pivots. Every report emits a Cisco PSIRT search URL, an NVD search URL, and the IEEE 802.1Q reference link.
What it catches
| Category | Examples |
|---|---|
| VLAN hopping | Native VLAN 1 on trunk, implicit native VLAN, missing vlan dot1q tag native |
| DTP attacks | dynamic auto / desirable, implicit mode (Cisco default), missing nonegotiate |
| STP manipulation | Access port without BPDU guard, trunk without root guard, BPDU filter on access (silent disable), portfast on trunk |
| Per-VLAN priority conflicts NEW | Same VLAN configured with different STP priorities in one config |
| Port security | Unused active port, missing port-security, suspiciously high MAC max, no 802.1X |
| CDP/LLDP leakage NEW | Access ports broadcasting CDP / LLDP — leaks hostname / IOS version to neighbours |
| VTP risk NEW | vtp mode server (rogue-rev wipe risk), vtp mode client, legacy version 1 |
| Trunk pruning | Trunk allowing all VLANs, no switchport trunk allowed vlan restriction |
CLI
| Subcommand / flag | What it does |
|---|---|
analyze <FILE> | VLAN + STP + DTP + port + CDP/LLDP + VTP findings |
check-config <FILE> | Same checks, framed as a baseline-compliance pass |
topology <FILE> | ASCII Layer 2 topology (VLANs, trunks, access ports) |
assess <FILE> | Full report + per-attack-vector vulnerability assessments + topology |
--vendor <V> | auto (default) / cisco / arista / junos |
--baseline <B> | hardened (upgrades MEDIUM→HIGH) / standard / legacy (downgrades LOW→INFO) |
--output <FMT> | human / json / csv / markdown |
--strict | Exit 1 on LOW+ instead of MEDIUM+ — useful for CI gates |
--no-color | Disable ANSI colors |
Design choices
- Offline only. Static analysis — no SNMP, no SSH, no packet capture. Pipe in a
show running-configdump or ashow | display setfile. - Cisco / Arista share a parser. Arista EOS is syntactically IOS-compatible for the security-relevant subset; the parser tags the vendor for reporting but reuses the same grammar.
- Junos is `set`-syntax only. The canonical brace-block Junos display format isn't supported yet — run
show | display setfirst. This is intentional: a robust brace parser is a much bigger build that the v1 surface doesn't justify. - Conservative match logic. Findings are intentionally noisy on the side of safety: an implicit DTP default (no
switchport modeat all) is HIGH because most Cisco platforms default todynamic auto.
Authorisation: vlanrecon performs no network activity — only file parsing. Still, the input config may contain sensitive infrastructure details (interface descriptions, management IPs, hostnames). Treat output files accordingly and review before sharing externally.