What two steps can be taken to help prevent VLAN hopping? (Choose two.)
A.
Place unused ports in a common unrouted VLAN.
B.
Enable BPDU guard.
C.
Implement port security.
D.
Prevent automatic trunk configurations.
E.
Disable Cisco Discovery Protocol on ports where it is not necessary.
Explanation:
To prevent VLAN hoping you should disable unused ports and put them in an unused VLAN,
or a separate unrouted VLAN. By not granting connectivity or by placing a device into a
VLAN not in use, unauthorized access can be thwarted through fundamental physical and
logical barriers.
Another method used to prevent VLAN hopping is to prevent automatic trunk configuration.
Hackers used 802.1Q and ISL tagging attacks, which are malicious schemes that allow a
user on a VLAN to get unauthorized access to another VLAN. For example, if a switch port
were configured as DTP auto and were to receive a fake DTP packet, it might become a
trunk port and it might start accepting traffic destined for any VLAN. Therefore, a malicious
user could start communicating with other VLANs through that compromised port.
Reference:
VLAN Security White Paper, Cisco Systems
http://www.cisco.com/en/US/products/hw/switches/ps708/products_white_paper09186a008013159f.shtml