Let's see how we can prevent VLAN hopping.

VLAN hopping is a practice where the traffic is moved from one VLAN to another VLAN without being routed, so an attacker can jack in anytime and gain the information. You can launch an attack on VLAN hopping by switch-spoofing and double-tagging.

Let's understand them one by one.

In a Cisco switch, by default a trunk port carries traffic of all the VLANs configured in the respective switch. So if an attacker can make the switch to transform into a trunk port, then they have access to all the information of all the VLANs. To break this attack, we can disable trunking on all ports that need not run the functionality of the trunk. Also disable DTP on the ports, since they are by default in auto mode which means they became trunk ports as and when they receive DTP frames.

The following exhibits how to disable a trunk on Cisco switch A:

SwitchA(config)#int fa0/1
SwitchA(config-if)#switchport mode access
SwitchA(config-if)#exit

The following exhibits how to prevent the use of DTP in Cisco switch A:

SwitchA(config)#int fa0/1
SwitchA(config-if)#switchport trunk encapsulation dot1q
SwitchA(config-if)#switchport mode trunk
SwitchA(config-if)#switchport nonegotiate

Double tagging: as per 802.1Q, a VLAN is termed as native VLAN, which means that no tagging is required for those frames as they travel from one switch to another. If an attacker has an address of native VLAN, then he can use this particular feature of native VLAN to send traffic that has two 802.1Q tags. The switch won't examine the frame because of its outer tagging and the target VLAN to which the attacker wants to send the traffic.

How to set a native VLAN in a Cisco switch:

SwitchA(config)#int fa0/1
SwitchA(config-if)#switchport trunk native vlan 100