What is the best way to prevent a VLAN hopping attack?
A.
Encapsulate trunk ports with IEEE 802.1Q.
B.
Physically secure data closets.
C.
Disable DTP negotiations.
D.
Enable BDPU guard.
Explanation:
http://www.cisco.com/en/US/products/hw/switches/ps708/products_white_paper09186a0080131
59f.shtml
802.1Q and ISL Tagging Attack
Tagging attacks are malicious schemes that allow a user on a VLAN to get unauthorized access to
another VLAN. For example, if a switch port were configured as DTP auto and were to receive a fake
DTP packet, it might become a trunk port and it might start accepting traffic destined for any VLAN.
Therefore, a malicious user could start communicating with other VLANs through that compromised
port.
Sometimes, even when simply receiving regular packets, a switch port may behave like a full-fledged
trunk port (for example, accept packets for VLANs different from the native), even if it is not
supposed to. This is commonly referred to as “VLAN leaking” (see [5] for a report on a similar issue).