Remember that we can logically group together devices in a VLAN

• Organization, segmentation, security

Devices on their own VLAN are effectively on their own network

VLAN Hopping - when one VLAN communicates directly with another without passing through a router

• Not supposed to happen
• Done via 2 methods: switch spoofing and double tagging

VLAN Trunk - We can configure a VLAN trunk to connect multiple VLANs on the same switch to another switch with a single cable, rather than connecting each VLAN to the switch separately.

Switch Spoofing takes advantage of some switches' autoconfiguration process that designates each interface as either a device or a trunk.

• An attacker pretends to be a switch to gain access to other VLANs via the trunk
• Turning off trunk negotiation and manually configuring trunks is recommended

Double Tagging

• VLAN tags - used in trunking between switches to show which VLAN the data is destined for
• Double tagging involves crafting a packet that includes multiple VLAN tags
• Double tagging exploits the native VLAN configuration - the first VLAN tag is removed by the first switch and the second is now visible
• Responses cannot be sent back to messages sent with double tagging
• To mitigate this, don't put any devices on the native VLAN