You suspect that an attacker in your network has configured a rogue Layer 2 device to intercept traffic from multiple VLANs, which allows the attacker to capture potentially sensitive data.
Which two methods will help to mitigate this type of activity? (Choose two.)
A.
Turn off all trunk ports and manually configure each VLAN as required on each port.
B.
Place unused active ports in an unused VLAN.
C.
Secure the native VLAN, VLAN 1, with encryption.
D.
Set the native VLAN on the trunk ports to an unused VLAN.
E.
Disable DTP on ports that require trunking.
Explanation:
D – this is to avoid VLAN hopping attack which exploits an unchanged native VLAN 1
E – avoids rogue switches from forming a trunk with a production switch and then using the VLAN hopping attack
Nope Lonix is wrong it’s B & D
E – is wrong doesn’t hurt to run DTP on ports that REQUIRE trunking. But don’t want to run it on access ports
In an ideal world…this question would be a pick three and I’d be ok with B,D,E
If we are memorizing Cisco Press answers (however write or rong they may bee)
http://www.securitytut.com/ccna-security/securing-local-area-networks
Sec-Tut.com agrees with Alex
=============personal opinion…>NOT STUDY MATERIAL+++++++++++++++++++++++++++++
B & E seem “more right” to me………
A&C are obviously noise.
B. is a 101 type answer….unsued ports in a DEAD vlan….no brainer=true.
-> D. I could maybe agree…except that in most designs you WANT a native vlan to be controlled, defined….likely un-routed but THERE and accessible from a specific source as a LOT of techs use Native for their management access to the switch.
Best practice just says that it SHOULD NOT be vlan 1 defaulted as it makes it too easy to guess and gain access to it. My big gripe is that CDP still shows you the native vlan so….physical access = native vlan access and all they need is cisco switch with them to do it.
E. is valid….becuase if you have DTP there, theoretically, someone could put a Rouge switch with DTP on two int in between your two switches….wahlaa they have the trunk through their switch and full access to ALL vLANs defined and that could be hidden from physical via for MONTHS or years if someone is sneaky enough to put the hardward behind cable management.
(even more fun…they could wipe out you whole lan by inserting a lower revision number vtp v2.)
but DTP is the devil after all…..