10.2.2.1.10. Vlan Hopping Attack / Spoofing Attack

VLAN Hopping is a type of network attack where an attacker connected to an access port (which is connected to a specific VLAN) can access network traffic from other VLANs. Normally, a computer connected to a 48 switch access port (connected to a specific VLAN) can only receive traffic from the VLAN associated with that switch port.

Using a VLAN-hopping attack, an attacker can sniff network traffic from another VLAN using a sniffer (protocol analyzer) or send traffic from one VLAN to another VLAN. There are two types of VLAN hopping attacks. These are the Key Spoofing attack and the Double Tagging attack.

VLAN Hopping Switch Spoofing and VLAN Hopping Double Tagging attacks are prevented by using Nonegotiate and Native VLAN control.

switchport mode access

switchport nonegotiate 

switchport mode trunk

switchport trunk encapsulation dot1q