VLAN Hopping

VLAN hopping is a network attack whereby an end system sends out packets destined for a system on a different VLAN that cannot normally be reached by the end system. This traffic is tagged with a different VLAN ID to which the end system belongs. Or, the attacking system might try to behave like a switch and negotiate trunking so that the attacker can send and receive traffic between other VLANs. To mitigate VLAN hopping, use dedicated VLAN IDs for all trunk ports, disable all unused switch ports, and place them in an unused VLAN. You can set all user ports to non-trunking mode by explicitly turning off Dynamic Trunking Protocol (DTP) on those ports. In CatOS, this can be done by using one of the following commands: set port host mod_num/port_range or set trunk mod_num/port_num off. With Cisco IOS on catalyst switches, the no switchport mode trunk command disables DTP, as does switchport mode access.