VLAN hopping

An attacker bypasses VLAN segmentation to send traffic from one VLAN to another.

	Switch Spoofing	Double Tagging
Attack Approach	Connect an unauthorized switch or simulate spoofed DTP packets to the target switch	Default DTP settings will form a trunk link/port which provides access to all VLANs.
How It Works	Feeds a frame with two 802.1Q tags to the target switch.	The switch removes the "outer" native VLAN tag, leaving the "inner" tag, which then forwards the frame to the target VLAN. This is usually a one-way attack.
Common Vulnerabilities	Switchport default "dynamic auto" or "dynamic desirable" modes; Unused ports left active;	Using default native VLAN 1
Mitigation	Disable DTP; Shutdown unused ports;	Change/Avoid default VLAN 1; Prune VLANs on trunk link;

VLAN hopping

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!