A hacker on the Company network is attempting to hop onto a different VLAN. Which two
statements about VLAN hopping are true? (Choose two)
A.
An end station attempts to gain access to all VLANs by transmitting Ethernet frames
in the 802.1q encapsulation.
B.
Configuring an interface with the “switchport mode dynamic” command will prevent
VLAN hopping.
C.
Attacks are prevented by utilizing the port-security feature.
D.
Configuring an interface with the “switchport mode access” command will prevent
VLAN hopping.
E.
An end station attempts to redirect VLAN traffic by broadcasting multiple ARP
requests.
Explanation:
When securing VLAN trunks, also consider the potential for an exploit called VLAN hopping.
Here, an attacker positioned on one access VLAN can craft and send frames with spoofed
802.1Q tags so that the packet payloads ultimately appear on a totally different VLAN, all
without the use of a router.
For this exploit to work, the following conditions must exist in the network configuration:
The attacker is connected to an access switch port.
The same switch must have an 802.1Q trunk.
The trunk must have the attacker’s access VLAN as its native VLAN.
To prevent from VLAN hopping turn off Dynamic Trunking Protocol on all unused ports and
specify the port be in access mode to limit the user to a single VLAN.