What should you do to prevent VLAN hopping?
A.
Disable some unused ports
B.
Set unused access ports to trunking ON
C.
Enable all unused ports and place them into an unused VLAN
D.
Disable all unused ports and place them into an unused VLAN
Explanation:
content\166040\plo_content\ORG1114\COURSE166040\enus_011425\lsn_03\tpc_b\enus_011425_03b.xml:
With an 802.1Q native VLAN, a switch can forward any Layer 2 frame received on a trunk port, whether tagged or not, to an intended VLAN. Any Layer 2 frames from a native VLAN are transmitted from the trunk port untagged.Compare 802.1Q to ISL, where any unencapsulated frames received on a trunk port are immediately dropped, and all frames transmitted from a trunk port are encapsulated.
By default, on Catalyst switches, all switch ports and native VLANs are initially assigned to VLAN1. 802.1Q trunk ports connected to each other via physical or logical segments must all have the same native VLAN configured. A trunk port will only support one native VLAN.
If you do not configure the same native VLAN on all switches and you use CDP, CDP will issue a “VLAN mismatch” error message to any active consoles. The CDP message is important, because mismatched native VLANs can lead to Spanning Tree loops. The symptom of this is vast surges of broadcast traffic disrupting normal network traffic.
For security, you should disable all unused ports and place them into an unused VLAN. That prevents unauthorized users from plugging in and sending traffic to a legitimate VLAN. If this unused VLAN differs from the native VLAN on any trunk, this also protects against a “VLAN hopping” exploit. You should also set unused access ports to trunking OFF, so they will reject any trunk-encapsulated frames.
ISL or 802.1Q frame tags increase the size of an Ethernet frame. In doing so, they may create a baby giant frame. The ISL frame may contain 1548 bytes, the 802.1Q one 1522 bytes.