200-301 · Question #340
200-301 Question #340: Real Exam Question with Answer & Explanation
The correct answer is C: Assign all access ports to VLANs other than the native VLAN. To protect a network from VLAN hopping attacks, a key practice is to configure all access ports to belong to specific VLANs other than the native VLAN. This prevents attackers from exploiting the default native VLAN behavior.
Question
What is a practice that protects a network from VLAN hopping attacks?
Options
- AEnable dynamic ARP inspection
- BConfigure an ACL to prevent traffic from changing VLANs
- CAssign all access ports to VLANs other than the native VLAN
- DImplement port security on internet-facing VLANs
Explanation
To protect a network from VLAN hopping attacks, a key practice is to configure all access ports to belong to specific VLANs other than the native VLAN. This prevents attackers from exploiting the default native VLAN behavior.
Common mistakes.
- A. Dynamic ARP Inspection (DAI) protects against ARP spoofing and poisoning attacks by validating ARP packets, not specifically against VLAN hopping.
- B. While ACLs filter traffic between VLANs, they do not inherently prevent an attacker from manipulating VLAN tags to gain unauthorized access to a different VLAN, which is the core of a VLAN hopping attack.
- D. Port security restricts the number of MAC addresses learned on a port to prevent MAC flooding and unauthorized devices, which is different from preventing VLAN tagging manipulation characteristic of VLAN hopping attacks, and applying it only to internet-facing VLANs is insufficient.
Concept tested. Mitigating VLAN hopping attacks
Reference. https://www.cisco.com/c/en/us/support/docs/switches/catalyst-6500-series-switches/24344-18.html
Topics
Community Discussion
No community discussion yet for this question.