VLAN hopping is a serious network security attack that allows malicious users to bypass VLAN segmentation. In a properly configured network, VLANs create separate broadcast domains to isolate traffic. However, VLAN hopping attacks exploit configuration weaknesses or protocol vulnerabilities to gain unauthorized access to traffic from different VLANs, potentially compromising network security and data integrity.
Switch spoofing is a common VLAN hopping technique where an attacker configures their device to appear as a legitimate network switch. The attack begins by sending Dynamic Trunking Protocol frames to negotiate a trunk connection with the target switch. Once the trunk is established, the attacker gains access to traffic from multiple VLANs that traverse the trunk link, effectively bypassing VLAN segmentation.
Double tagging attack exploits the way switches handle VLAN tags on trunk links. The attacker crafts a frame with two VLAN tags - an outer tag matching the native VLAN and an inner tag targeting the destination VLAN. When the first switch processes the frame, it removes the outer tag as expected for the native VLAN. However, the inner tag remains and directs the frame to the target VLAN on the next switch, allowing the attacker to bypass VLAN isolation.
Preventing VLAN hopping attacks requires implementing multiple security measures. First, disable Dynamic Trunking Protocol on all switch ports to prevent unauthorized trunk negotiation. Configure all access ports explicitly rather than relying on default settings. Use a native VLAN other than VLAN 1 and implement VLAN Access Control Lists to restrict inter-VLAN communication. Enable port security features to limit MAC address learning and prevent spoofing. These combined measures create a robust defense against VLAN hopping attacks.