VLAN hopping is a network attack whereby an end system sends
packets to, or collects them from, a VLAN that should not be accessible to that
end system. This is accomplished by tagging the invasive traffic with a
specific VLAN ID or by negotiating a trunk link in order to send or receive
traffic on penetrated VLANs. VLAN Hopping can be accomplished by Switch
Spoofing or Double Tagging.

Switch
Spoofing
In a Switch Spoofing attack, the network attacker configures a
system to spoof itself as a switch by emulating ISL or 802.1Q signaling along
with Dynamic Trunk Protocol (DTP) signaling in an attempt to establish a trunk
connection to the switch. Any switch port configured as DTP auto, upon receipt
of a DTP packet generated by the attacking device, may become a trunk port and
thereby accept traffic destined for any VLAN supported on that trunk. The
malicious device can then send packets to, or collect packets from, any VLAN
carried on the negotiated trunk.

Double Tagging
Another method of VLAN Hopping is for any
workstation to generate frames with two 802.1Q headers in order to get the
switch to forward the frames onto a VLAN that would be inaccessible to the
attacker through legitimate means.

The first
switch to encounter the double-tagged frame strips the first tag off the frame
as it enters the switch because it matches the access ports native VLAN and
then forwards the frame. The result is that the frame is forwarded with the
inner 802.1Q tag out all the switch ports including trunk ports configured with
the native VLAN of the network attacker. The second switch then forwards the
packet to the destination based on the VLAN identifier in the second 802.1Q
header. Should the trunk not match the native VLAN of the attacker, the frame
would be untagged and flooded only to the original VLAN.
