VLAN Hopping

VLAN hopping is a computer security exploit. The principle is that an attacking host on one VLAN accesses traffic from other VLANs that it should not have access to. There are two methods:

Switch Spoofing

Switch Spoofing is the technique of imitating a junction switch. Dynamic Trunking Protocol (DTP) is usually used to perform this attack.

Here is the flow of this attack:


The Switch Spoofing technique is only exploitable when the interfaces of a switch are configured to negotiate a trunk.

The first thing to do is to disable the DTP: switchport nonegotiate

Next, make sure that ports not configured as junction are configured as access port: switchport mode access

Double Tagging

This attack consists of encapsulating two VLAN fields in the frames sent. To exploit this technique, it is necessary to be connected to an 802.1Q compatible port.

Here is the sequence of this attack:


The Double Tagging technique is only exploitable on switch ports configured to use native VLANs.

It is important not to use the default VLAN (VLAN 1): switchport access vlan 2

You can also replace the native VLAN of all ports in trunk mode with an unused VLAN ID: switchport trunk native vlan 999

You can also force explicit tagging of the native VLAN on all ports in trunk mode: vlan dot1q tag native