What is the best way to prevent a VLAN hopping attack?

A.
Encapsulate trunk ports with IEEE 802.1Q.

B.
Physically secure data closets.

C.
Disable DTP negotiations.

D.
Enable BDPU guard.

Explanation:
http://www.cisco.com/en/US/products/hw/switches/ps708/products_white_paper09186a00801315
9f.shtml
802.1Q and ISL Tagging Attack
Tagging attacks are malicious schemes that allow a user on a VLAN to get unauthorized access to
another VLAN. For example, if a switch port were configured as DTP auto and were to receive a
fake DTP packet, it might become a trunk port and it might start accepting traffic destined for any
VLAN. Therefore, a malicious user could start communicating with other VLANs through that
compromised port.
Sometimes, even when simply receiving regular packets, a switch port may behave like a fullfledged trunk port (for example, accept packets for VLANs different from the native), even if it is
not supposed to. This is commonly referred to as “VLAN leaking” (see [5] for a report on a similar
issue).