How can you mitigate attacks in which the attacker attaches more than one VLAN tag to a packet?
A. Disable EtherChannel
B. Enable transparent VTP on the switch
C. Explicitly identify each VLAN allowed across the trunk
D. Assign an access VLAN to every active port on the switch
C is correct.
double tagging is causes native vlan . attacker use native vlan for double tagging.
If we remove native vlan from trunk then mitigate the attack.
#sw tr native vlan 800
#switchport trunk allowed remove vlan 800
Refer to Defending against Layer 2 attacks https://www.cisco.com/c/dam/global/en_ae/assets/exposaudi2009/assets/docs/layer2-attacks-and-mitigation-t.pdf .
Security Best Practices for VLANs and Trunking includes
“Always use a dedicated VLAN ID for all trunk ports”
Answer D is the better choice for VLAN hopping mitigation.
Correct answer is D
On the September 2018 exam
I hate badmouthing Cisco but their exams suck. They are all over the board but in this case… The CCNA Sec is pretty good
From CCNP Security Secure 642-637
Switches implement virtual LANs (VLAN). Users connect to access ports that are members of a VLAN as specified in the switch configuration. VLAN hopping is where a user can gain access to a VLAN not assigned to the switch port to which the user connects.
NOTE
When statically assigning MAC addresses, be careful of the possible support overhead that will be required for any moves or changes to the end-user infrastructure.
A user can achieve this in two ways against the default configuration of a Cisco switch port. The first and most commonly used VLAN hopping method is where the attacker makes his workstation act as a trunk port. Most switches, in the default configuration, need only one side of a connection to announce themselves as a trunk; then the switch automatically trunks all available VLANs over the switch port. This results in the attacker seeing all traffic across all VLANs.
The second way an attacker can hop VLANs is by using double tagging. With double tagging, the attacker inserts a second 802.1q tag in front of the existing 802.1q tag. This relies on the switch stripping off only the first 802.1q tag and leaving itself vulnerable to the second tag. This is not as common a method of VLAN hopping as using trunking.
To ensure you do not fall foul of a VLAN hopping attack, you must ensure that all your user ports are assigned as access mode ports. Any unused ports should be disabled and set as access mode ports by default.
To set a switch port to access mode, use the following configuration command from interface configuration mode:
Switch(config-if)# switchport mode access
By entering this command at the interface level, you switch the port into access mode; this port can never become a trunk port. It is a good practice to get into to ensure that all ports are configured in the correct mode. This should form part of your deployment strategy for all access layer switches in use within your organization.
When configuring a trunk port, the native VLAN need to be set to a unique VLAN, which is not routable or used elsewhere. To set a native VLAN on a trunk port, use the following configuration command from interface configuration mode:
Switch(config-if)# switchport trunk native vlan {number}
@Adam
reconsider your answer. The question is about VLAN – hopping and “C” does not mitigate this. To my understanding, they want us to assign to every active unused port a different VLAN as VLAN1 – which by default is native = no tag, therefore vulnerable to VLAN hopping. I would go with “D”
Wrong Correct is C:
Hello Adam…….Answer seems to be D from what I read.
Can you explain why C is correct or if you have any documentation on that.
Thank you!!