Conclusion

It is unlikely that this technique could be successfully be deployed to create PVLAN's in a general scenario due to varied behavior from the vendors. However, it does appear that a determined attacker could encode the data generated from this experiment into a modified host-ap driver so that he could stealthily redirect traffic to himself. This would give the attacker a slight advantage over typical ARP poisioning attacks since he doesn't need to generate any suspicous ARP activity. It also has an advantage over simple rogue access points, as it requires no beacons which can easily be detected.