VLAN hopping is a network attack whereby an attacking system sends
out packets destined for a system on a different VLAN that cannot normally be
reached by the attacker. This traffic is tagged with VLAN ID for a VLAN other
than the one on which the attacking system belongs. The attacking system can
also attempt to behave like a switch and negotiate trunking so that the
attacker can send and receive traffic between multiple VLANs.
Switch Spoofing
In a Switch spoofing attack, the network attacker
configures a system to spoof itself as a switch. This requires that the network
attacker be capable of emulating either ISL or 802.1q signaling along with
Dynamic Trunk Protocol (DTP) signaling. Using this method a network attacker
can make a system appear to be a switch with a trunk port. If successful, the
attacking system then becomes a member of all VLANs.
Double Tagging
Another VLAN hopping attack involves tagging the
transmitted frames with two 802.1q headers in order to forward the frames to
the wrong VLAN. The first switch that encounters the double-tagged frame strips
the first tag off the frame and then forwards the frame.
The result
is that the frame is forwarded with the inner 802.1q tag out all the switch
ports, including trunk ports, configured with the native VLAN of the network
attacker.
The
second switch then forwards the packet to the destination based on the VLAN
identifier in the second 802.1q header. 