What is VLAN hopping and which mitigations help prevent it?

VLAN hopping occurs when traffic is able to cross from one VLAN into another, bypassing the intended network segmentation by abusing how VLAN tagging and trunking are configured. To stop this, you lock down how VLANs are carried across switches and who can route between them. Proper trunking means only the intended switch ports are configured as trunks and only the necessary VLANs are allowed on those trunks, preventing unauthorized VLANs from leaking onto a trunk. Disabling auto trunking (such as turning off dynamic trunk negotiation) stops devices from automatically negotiating a trunk and potentially creating an unintended trunk path for hopping. Private VLANs limit communications within a shared VLAN so hosts don’t automatically reach other hosts in the same broadcast domain, reducing lateral movement opportunities. Restricted inter-VLAN routing ensures that inter-VLAN communication is tightly controlled, typically with routing performed only on trusted devices and behind ACLs or firewalls, so only authorized traffic can traverse VLAN boundaries. Other choices don’t address how VLANs are separated at the switch or how routing between VLANs is controlled: widening wireless channel width isn’t related to VLAN separation, enabling all inter-VLAN routing would increase access between VLANs rather than restrict it, and default credentials don’t impact VLAN boundary security.