VLAN Vulnerabilities
VLAN hopping attacks

VLAN hopping is a network attack whereby an attacking system sends out packets destined for a system on a different VLAN that cannot normally be reached by the attacker. This traffic is tagged with VLAN ID for a VLAN other than the one on which the attacking system belongs. The attacking system can also attempt to behave like a switch and negotiate trunking so that the attacker can send and receive traffic between multiple VLANs.

Switch Spoofing
In a Switch spoofing attack, the network attacker configures a system to spoof itself as a switch. This requires that the network attacker be capable of emulating either ISL or 802.1q signaling along with Dynamic Trunk Protocol (DTP) signaling. Using this method a network attacker can make a system appear to be a switch with a trunk port. If successful, the attacking system then becomes a member of all VLANs.

Double Tagging
Another VLAN hopping attack involves tagging the transmitted frames with two 802.1q headers in order to forward the frames to the wrong VLAN. The first switch that encounters the double-tagged frame strips the first tag off the frame and then forwards the frame.  The result is that the frame is forwarded with the inner 802.1q tag out all the switch ports, including trunk ports, configured with the native VLAN of the network attacker.  The second switch then forwards the packet to the destination based on the VLAN identifier in the second 802.1q header.