VLANs are used to segment a physical network into multiple logical networks. This improves security by isolating traffic between different groups of users or devices (e.g., separating guest Wi-Fi traffic from internal company traffic).
A VLAN hopping attack is a type of network attack where an attacker on one VLAN (Virtual Local Area Network) is able to access resources on other VLANs that they shouldn't normally be able to reach.
Disabling DTP (Dynamic Trunking Protocol): DTP is used for automatic trunk negotiation. Attackers can exploit DTP to force a switch port into trunking mode, allowing them to access all VLANs. Disabling DTP prevents this. You achieve this by configuring the port as either switchport mode access or switchport mode nonegotiate if it's a trunk.
Configuring access ports with explicit VLANs: Explicitly assigning VLANs to access ports prevents attackers from using double-tagging attacks. This means configuring the port with switchport access vlan <vlan-id>.
Using a non-default native VLAN for trunk ports: The native VLAN is used for untagged traffic on a trunk. If an attacker sends traffic tagged with the native VLAN ID, it might be misinterpreted by the switch. Changing the native VLAN to something other than the default VLAN 1 makes it harder for attackers to exploit this vulnerability. You achieve this with the switchport trunk native vlan <vlan-id> command on the trunk port.