What two steps can be taken to help prevent VLAN hopping? (Choose two.)

A.
Place unused ports in a common unrouted VLAN.

B.
Enable BPDU guard.

C.
Implement port security.

D.
Prevent automatic trunk configurations.

E.
Disable Cisco Discovery Protocol on ports where it is not necessary.

Explanation:
To prevent VLAN hoping you should disable unused ports and put them in an unused VLAN, or a
separate unrouted VLAN. By not granting connectivity or by placing a device into a VLAN not in
use, unauthorized access can be thwarted through fundamental physical and logical barriers.
Another method used to prevent VLAN hopping is to prevent automatic trunk configuration.
Hackers used 802.1Q and ISL tagging attacks, which are malicious schemes that allow a user on
a VLAN to get unauthorized access to another VLAN. For example, if a switch port were
configured as DTP auto and were to receive a fake DTP packet, it might become a trunk port and
it might start accepting traffic destined for any VLAN. Therefore, a malicious user could start
communicating with other VLANs through that compromised port.
Reference: VLAN Security White Paper, Cisco Systems
http://www.cisco.com/en/US/products/hw/switches/ps708/products_white_paper09186a00801315
9f.shtml