Which feature or configuration on a switch makes it vulnerable to VLAN double-tagging attacks?

IT Questions BankWhich feature or configuration on a switch makes it vulnerable to VLAN double-tagging attacks?

Question:
Which feature or configuration on a switch makes it vulnerable to VLAN double-tagging attacks?

  • the limited size of content-addressable memory space
  • the automatic trunking port feature enabled for all ports by default
  • the native VLAN of the trunking port being the same as a user VLAN
  • mixed duplex mode enabled for all ports by default

Explanation: A double-tagging (or double-encapsulated) VLAN hopping attack takes advantage of the way that hardware on most switches operates. Most switches perform only one level of 802.1Q de-encapsulation, which allows an attacker to embed a hidden 802.1Q tag inside the frame. This tag allows the frame to be forwarded to a VLAN that the original 802.1Q tag did not specify. An important characteristic of the double-encapsulated VLAN hopping attack is that it works even if trunk ports are disabled, because a host typically sends a frame on a segment that is not a trunk link. This type of attack is unidirectional and works only when the attacker is connected to a port residing in the same VLAN as the native VLAN of the trunk port.

Exam with this question: CCNA 2 v7 Modules 10 – 13 Exam Answers

Subscribe
Notify of
guest

0 Comments
Inline Feedbacks
View all comments
0
Would love your thoughts, please comment.x
()
x