Question:
Which two Layer 2 security best practices would help prevent VLAN hopping attacks? (Choose two.)
- Change the native VLAN number to one that is distinct from all user VLANs and is not VLAN 1.
- Change the management VLAN to a distinct VLAN that is not accessible by regular users.
- Statically configure all ports that connect to end-user host devices to be in trunk mode.
- Disable DTP autonegotiation on end-user ports.
- Use SSH for all remote management access.
Explanation: Allowing end-user devices to negotiate trunk settings via DTP can lead to a VLAN hopping attack, so DTP autonegotiation should be disabled on access ports. Configuring a trunk link with a native VLAN that is also used for end-users can lead to VLAN hopping attacks as well. The native VLAN should be set to a VLAN that is not used anywhere else.
Exam with this question: CCNA Security Pretest Exam Answers
Exam with this question: CCNA 2 (v5.0.3 + v6.0) Chapter 3 Exam Answers
Please login or Register to submit your answer