The threat actor configures the host to spoof 802.1Q signaling and Cisco-proprietary Dynamic Trunking Protocol (DTP) signaling to trunk with the connecting switch
If successful, the switch establishes a trunk link with the host, as shown in the figure
Now the threat actor can access all the VLANs on the switch
The threat actor can send and receive traffic on any VLAN, effectively hopping between VLANs