You suspect that an attacker in your network has configured a rogue Layer 2 device to intercept
traffic from multiple VLANs, which allows the attacker to capture potentially sensitive data.
Which two methods will help to mitigate this type of activity? (Choose two.)
A.
Turn off all trunk ports and manually configure each VLAN as required on each port.
B.
Place unused active ports in an unused VLAN.
C.
Secure the native VLAN, VLAN 1, with encryption.
D.
Set the native VLAN on the trunk ports to an unused VLAN.
E.
Disable DTP on ports that require trunking.
Explanation:
http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SX/configuration/guide/layer2.
html
Layer 2 LAN Port Modes
Table 17-2 lists the Layer 2 LAN port modes and describes how they function on LAN ports.
switchport mode access
Puts the LAN port into permanent nontrunking mode and negotiates to convert the link into a
nontrunk link. The LAN port becomes a nontrunk port even if the neighboring LAN port does not
agree to the change.
switchport mode dynamic desirable
Makes the LAN port actively attempt to convert the link to a trunk link. The LAN port becomes a
trunk port if the neighboring LAN port is set to trunk, desirable, or auto mode. This is the default
mode for all LAN ports.
switchport mode dynamic auto
Makes the LAN port willing to convert the link to a trunk link. The LAN port becomes a trunk port if
the neighboring LAN port is set to trunk or desirable mode.
switchport mode trunk
Puts the LAN port into permanent trunking mode and negotiates to convert the link into a trunk
link. The LAN port becomes a trunk port even if the neighboring port does not agree to the
change.
switchport nonegotiate
Puts the LAN port into permanent trunking mode but prevents the port from generating DTP
frames. You must configure the neighboring port manually as a trunk port to establish a trunk link.
http://www.cisco.com/en/US/products/hw/switches/ps708/products_white_paper09186a00801315
9f.shtml
Double Encapsulation Attack
When double-encapsulated 802.1Q packets are injected into the network from a device whose
VLAN happens to be the native VLAN of a trunk, the VLAN identification of those packets cannot
be preserved from end to end since the 802.1Q trunk would always modify the packets by
stripping their outer tag. After the external tag is removed, the internal tag permanently becomes
the packet’s only VLAN identifier. Therefore, by doubleencapsulating packets with two different
tags, traffic can be made to hop across VLANs.
This scenario is to be considered a misconfiguration, since the 802.1Q standard does notnecessarily force the users to use the native VLAN in these cases. As a matter of fact, the proper
configuration that should always be used is to clear the native VLAN from all 802.1Q trunks
(alternatively, setting them to 802.1q-all-tagged mode achieves the exact same result). In cases
where the native VLAN cannot be cleared, then always pick an unused VLAN as native VLAN of
all the trunks; don’t use this VLAN for any other purpose.
Protocols like STP, DTP, and UDLD (check out [3]) should be the only rightful users of the native
VLAN and their traffic should be completely isolated from any data packets.