You want to enhance the security within the Company LAN and prevent VLAN hopping. What two
steps can be taken to help prevent this? (Select two)
A.
Enable BPD guard
B.
Disable CDP on ports where it is not necessary
C.
Place unused ports in a common unrouted VLAN
D.
Prevent automatic trunk configuration
E.
Implement port security
Explanation:
To prevent VLAN hoping you should disable unused ports and put them in an unused VLAN, or a
separate unrouted VLAN. By not granting connectivity or by placing a device into a VLAN not in use,
unauthorized access can be thwarted through fundamental physical and logical barriers.
Another method used to prevent VLAN hopping is to prevent automatic trunk configuration.
Hackers used 802.1Q and ISL tagging attacks, which are malicious schemes that allow a user on a
VLAN to get unauthorized access to another VLAN. For example, if a switch port were configured as
DTP auto and were to receive a fake DTP packet, it might become a trunk port and it might start
accepting traffic destined for any VLAN. Therefore, a malicious user could start communicating with
other VLANs through that compromised port.
Reference: VLAN Security White Paper, Cisco Systems
http://www.cisco.com/en/US/products/hw/switches/ps708/products_white_paper09186a0080131
59f.shtml
technically B is “valid” to some degree you don’t want to allow people to just plug in ANY cisco CDP capable product and be able to get the native vLAN out of it…but if you follw C then B become moot logically…as unused ports won’t be able to transit native traffic if its in an unrouted vLAN.