Mitigating VLAN Attacks
What is VLAN hopping?

VLAN hopping is a network attack whereby an end system sends packets to, or collects them from, a VLAN that should not be accessible to that end system. This is accomplished by tagging the invasive traffic with a specific VLAN ID or by negotiating a trunk link in order to send or receive traffic on penetrated VLANs. VLAN Hopping can be accomplished by Switch Spoofing or Double Tagging.

Switch Spoofing
In a Switch Spoofing attack, the network attacker configures a system to spoof itself as a switch by emulating ISL or 802.1Q signaling along with Dynamic Trunk Protocol (DTP) signaling in an attempt to establish a trunk connection to the switch. Any switch port configured as DTP auto, upon receipt of a DTP packet generated by the attacking device, may become a trunk port and thereby accept traffic destined for any VLAN supported on that trunk. The malicious device can then send packets to, or collect packets from, any VLAN carried on the negotiated trunk.

Double Tagging
Another method of VLAN Hopping is for any workstation to generate frames with two 802.1Q headers in order to get the switch to forward the frames onto a VLAN that would be inaccessible to the attacker through legitimate means.

The first switch to encounter the double-tagged frame strips the first tag off the frame as it enters the switch because it matches the access ports native VLAN and then forwards the frame. The result is that the frame is forwarded with the inner 802.1Q tag out all the switch ports including trunk ports configured with the native VLAN of the network attacker. The second switch then forwards the packet to the destination based on the VLAN identifier in the second 802.1Q header. Should the trunk not match the native VLAN of the attacker, the frame would be untagged and flooded only to the original VLAN.