Which of the following actions could you take to mitigate VLAN hopping attacks? (Select the best answer.)

A.
Implement sticky MAC addresses.

B.
Change the native VLAN on trunk ports to an unused VLAN.

C.
Implement DAI.

D.
Limit the number of MAC addresses permitted on a port.

Explanation:
You should change the native virtual LAN (VLAN) on trunk ports to an unused VLAN to mitigate VLAN hopping
attacks. In a VLAN hopping attack, an attacker sends doubletagged 802.1Q frames over a trunk link. A
doubletagged frame is an Ethernet frame containing two distinct 802.1Q headers. Although doubletagging can
be used as a legitimate way to tunnel traffic through a network and is commonly used by service providers, it
can also be used by an attacker to circumvent security controls on an access switch. In a VLAN hopping attack,
the attacker attempts to inject packets into other VLANs by accessing the native VLAN on a trunk and sending
doubletagged 802.1Q frames to the switch. The switch strips the outer 802.1Q header from the received frame
and then forwards the frame, which still includes an 802.1Q header, across a trunk port to the VLAN of the
target host. A successful VLAN hopping attack enables an attacker to send unidirectional traffic to other VLANs
without the use of a router.
Implementing sticky secure Media Access Control (MAC) addresses can help mitigate MAC spoofing attacks.
In a MAC spoofing attack, an attacker uses the MAC address of another known host on the network in order to
bypass port security measures. MAC spoofing can also be used to impersonate another host on the network.
Limiting the number of MAC addresses permitted on a port can help mitigate MAC flooding attacks. In a MAC
flooding attack, an attacker generates thousands of forged frames every minute with the intention of
overwhelming the switch’s MAC address table. Once this table is flooded, the switch can no longer make
intelligent forwarding decisions and all traffic is flooded. This allows the attacker to view all data sent through
the switch because all traffic will be sent out each port. A MAC flooding attack is also known as a content
addressable memory (CAM) table overflow attack.
Implementing Dynamic ARP Inspection (DAI) can help mitigate Address Resolution Protocol (ARP) poisoning
attacks. In an ARP poisoning attack, which is also known as an ARP spoofing attack, the attacker sends a
gratuitous ARP (GARP) message to a host. The GARP message associates the attacker’s MAC address with
the IP address of a valid host on the network. Subsequently, traffic sent to the valid host address will go through
the attacker’s computer rather than directly to the intended recipient.

Cisco: Implementation of Security: VLAN Hopping