In this article we will mitigate VLAN hopping by switch spoofing in the way that we will disable trunking on the ports who do not have to become trunk ports. Some Cisco switches ports default to auto mode for trunking. That means that the ports automatically become trunk ports if they receive Dynamic Trunking Protocol (DTP) frames on some of the switch ports. This is big security problem because attacker can make his switch port become trunk and then he can easily perform VLAN hopping attacks. He can gain access to all VLANs on the switch without the need to route packets through router.
Prevent switch spoofing
To make switch spoofing impossible, you can disable trunking on all ports that do not need to form trunks, and disable DTP on ports that do need to be trunks.
Switch1(config)# interface gigabitethernet 0/3 Switch1(config-if)# switchport mode access Switch1(config-if)# exit
Preventing the Use of DTP
Switch1(config)# interface gigabitethernet 0/4 Switch1(config-if)# switchport trunk encapsulation dot1q Switch1(config-if)# switchport mode trunk Switch1(config-if)# switch port nonegotiate
Prevent double tagging
To help prevent a VLAN hopping attack using double tagging, do not use the native VLAN to send user traffic. You can do this by creating a VLAN that does not have any ports added. This unused VLAN is only for the native VLAN assignment. Configuration on a Cisco switch is shown in which the native VLAN has been set to an unused VLAN.
Switch1(config)# interface gigabitethernet 0/4 Switch1(config-if)# switchport trunk native vlan 400