There are two primary methods of VLAN hopping: switch spoofing and double tagging.
Ensure that ports are not set to negotiate trunks automatically by disabling DTP: 2.
Double tagging can only be exploited on switch ports configured to use native VLANs.
IOS example): As an example of a double tagging attack, consider a secure web server on a VLAN called VLAN2.
The packet thus arrives at the target server as though it were sent from another host on VLAN2, ignoring any layer 3 filtering that might be in place.