Home » Cisco » 640-554 » What is the best way to prevent a VLAN hopping attack?
What is the best way to prevent a VLAN hopping attack?
A. Encapsulate trunk ports with IEEE 802.1Q.
B. Physically secure data closets.
C. Disable DTP negotiations.
D. Enable BDPU guard.
Correct Answer: C
Explanation/Reference:
Explanation:
http://www.cisco.com/en/US/products/hw/switches/ps708/products_white_paper09186a008013159f.shtml
802.1Q and ISL Tagging Attack
Tagging attacks are malicious schemes that allow a user on a VLAN to get unauthorized access to another VLAN. For example, if a switch port were configured as DTP auto and were to receive a fake DTP packet, it might become a trunk port and it might start accepting traffic destined for any VLAN. Therefore, a malicious user could start communicating with other VLANs through that compromised port.
Sometimes, even when simply receiving regular packets, a switch port may behave like a full- fledged trunk port (for example, accept packets for VLANs different from the native), even if it is not supposed to. This is commonly referred to as “VLAN leaking” (see [5] for a report on a similar issue).