Which statement describes a best practice when configuring trunking on a switch port?

A.
Disable double tagging by enabling DTP on the trunk port.

B.
Enable encryption on the trunk port.

C.
Enable authentication and encryption on the trunk port.

D.
Limit the allowed VLAN(s) on the trunk to the native VLAN only.

E.
Configure an unused VLAN as the native VLAN.

Explanation:
http://www.cisco.com/en/US/products/hw/switches/ps708/products_white_paper09186a00801315
9f.shtml
Double Encapsulation Attack
When double-encapsulated 802.1Q packets are injected into the network from a device whose
VLAN happens to be the native VLAN of a trunk, the VLAN identification of those packets cannot
be preserved from end to end since the 802.1Q trunk would always modify the packets by
stripping their outer tag. After the external tag is removed, the internal tag permanently becomes
the packet’s only VLAN identifier. Therefore, by double encapsulating packets with two different
tags, traffic can be made to hop across VLANs.
This scenario is to be considered a misconfiguration, since the 802.1Q standard does not
necessarily force the users to use the native VLAN in these cases. As a matter of fact, the proper
configuration that should always be used is to clear the native VLAN from all 802.1Q trunks
(alternatively, setting them to 802.1q-all-tagged mode achieves the exact same result). In cases
where the native VLAN cannot be cleared, then always pick an unused VLAN as native VLAN of
all the trunks; don’t use this VLAN for any other purpose. Protocols like STP, DTP, and UDLD
(check out [3]) should be the only rightful users of the native VLAN and their traffic should be
completely isolated from any data packets.