Virtual LANs are used to reduce the size of layer 2 broadcast domains. This assists in keeping the MAC address table small. VLAN tags can be used to distinguish which virtual LAN the frame belongs to, and hence informs the switch which ports are part of the same broadcast domain.

Changing VLAN tags can be advantageous for an attacker because it gives them access to a virtual LAN that they shouldn't have access to. This can be done by pretending to be a switch trunk port (switch spoofing) and therefore being able to access data from every VLAN, or by double tagging. In double tagging, a device that's connected to a trunk enabled port (on the native VLAN) transmits two VLAN tags in each frame. The first VLAN tag belongs to the VLAN they should have access to, and the second is the VLAN that they are targeting. As the VLAN tags get stripped when they get to trunk ports, the second VLAN tag is then exposed to subsequent switches, and a message hops between the two VLANs.

The presence of two VLAN tags can be a potential sign of VLAN hopping, but there are other instances where this is possible, particularly internet service providers (ISPs) using the 802.1ad standards.