CCNP Security Question of the Week: VLAN Hopping

According to Cisco best practices, which two commands help prevent VLAN hopping? (Choose two.)

A. switchport mode access
B. switchport access vlan 2
C. switchport mode trunk
D. switchport access vlan 1
E. switchport trunk native vlan 1
F. switchport protected

Reveal Answer

Answer: A and B.

Change the default behavior of dynamic desirable or dynamic auto to assigning the port an access port. No matter what device is attached to the port, it cannot use 802.1Q tagging to hop from one VLAN to another. Also, as an access port, the default VLAN is VLAN 1 so move it to another, unused VLAN number to black hole any traffic from any unauthorized devices that might connect to the switch.

Related Resources
Cisco White Papers

Related Course
CCNP Security e-Camp

-

CCNP Security Question of the Week Series

• CCNP Security Question of the Week: Cisco ASA Security Context
• CCNP Security Question of the Week: Authenticating ASDM Users
• CCNP Security Question of the Week: Layer 5–7 Policy Maps
• CCNP Security Question of the Week: 802.1X
• CCNP Security Question of the Week: IPS Updates
• CCNP Security Question of the Week: IPsec VPN Tunnels
• CCNP Security Question of the Week: AnyConnect VPN Client
• CCNP Security Question of the Week: ASA AIP-SSM and ASA AIP-SSC
• CCNP Security Question of the Week: Disable DHCP Server Service
• CCNP Security Question of the Week: Cisco ASA Security Appliance Access List
• CCNP Security Question of the Week: Network Address Translation
• CCNP Security Question of the Week: Harden a Switch
• CCNP Security Question of the Week: SSH Login
• CCNP Security Question of the Week: Packet-Tracer Command
• CCNP Security Question of the Week: SSL Ciphers
• CCNP Security Question of the Week: VLAN Hopping

from
CERTIVIEW