VLAN Hopping Questions
Here you will find answers to VLAN Hopping Questions
Question 1
What two steps can be taken to help prevent VLAN hopping? (Choose two)
A. Place unused ports in a common unrouted VLAN
B. Enable BPDU guard
C. Implement port security
D. Prevent automatic trunk configuration
E. Disable CDP on ports where it is not necessary
Answer: A D
Explanation
VLAN Hopping: By altering the VLAN ID on packets encapsulated for trunking, an attacking device can send or receive packets on
various VLANs, bypassing Layer 3 security measures. VLAN hopping can be accomplished by switch spoofing or double tagging.
1) Switch spoofing:
The attacker can connect an unauthorized Cisco switch to a Company switch port. The unauthorized switch can send DTP frames and form a trunk with the Company Switch. If the attacker can establish a trunk link to the Company switch, it receives traffic to all VLANs through the trunk because all VLANs are allowed on a trunk by default.
(Instead of using a Cisco Switch, the attacker can use a software to create and send DTP frames).
2) Double-Tagging:
In this attack, the attacking computer generates frames with two 802.1Q tags. The first tag matches the native VLAN of the trunk port (VLAN 10 in this case), and the second matches the VLAN of a host it wants to attack (VLAN 20).
When the packet from the attacker reaches Switch A, Switch A only sees the first VLAN 10 and it matches with its native VLAN 10 so this VLAN tag is removed. Switch A forwards the frame out all links with the same native VLAN 10. Switch B receives the frame with an tag of VLAN 20 so it removes this tag and forwards out to the Victim computer.
Note: This attack only works if the trunk (between two switches) has the same native VLAN as the attacker.
Please notice that if the port in which the attacker connects to is an access port then he can make an attack too. But maybe you will wonder “what a switch do if it receives tagged traffic from an access port?”. Here is the answer quoted from Cisco site:
Traffic arriving on an access port is assumed to belong to the VLAN assigned to the port. If an access port receives a tagged packet (Inter-Switch Link [ISL] or 802.1Q tagged) for the VLAN assigned to the port, the packet is forwarded. If the port receives a tagged packet for another VLAN, the packet is dropped, the source address is not learned, and the frame is counted in the No destination statistic.
So in this case, the attacker is on VLAN 10, which is also the native VLAN -> the packet is forwarded.
To mitigate VLAN Hopping, the following things should be done:
1) If no trunking is required, configure port as an access port, this also disables trunking on that interface:
Switch(config-if)# switchport mode access
2) If trunking is required, try to configure the port to Nonegotiate to prevent DTP frames from being sent.
Switch(config-if)# switchport mode trunk
Switch(config-if)# switchport nonegotiate
-> Therefore answer D – Prevent automatic trunk configuration is correct.
3) Set the native VLAN to an unused VLAN and don’t use this VLAN for any other purpose:
Switch(config-if)# switchport trunk native vlan VLAN-ID
4) Force the switch to tag the native VLAN on all its 802.1Q trunks:
Switch(config)# vlan dot1q tag native
In this question, answer A – Place unused ports in a common unrouted VLAN is also correct because the Double-Tagging method requires the attacker’s port must be in the same VLAN with Native VLAN -> Place these ports in unrouted VLAN will put these ports in different VLAN from the Native VLAN.
Question 2
What is one method that can be used to prevent VLAN hopping on the network?
A. Configure VACLs.
B. Configure all frames with two 802.1Q headers.
C. Enforce username/password combinations.
D. Explicitly turn off Dynamic Trunking Protocol (DTP) on all unused ports.
E. All of the above
Answer: D
Explanation
Disable DTP so that switchport will not negotiate trunking on the link by this command:
| Switch(config-if)# switchport nonegotiate |
Or a better way is to configure it as an access port:
| Switch(config-if)# switchport mode access |
Note: VACLs should only be used to mitigate DHCP Snooping, not VLAN Hopping by filtering out DHCP Reply from outside ports.
Question 3
Which two statements about VLAN hopping are true? (Choose two)
A. Attacks are prevented by utilizing the port-security feature.
B. An end station attempts to gain access to all VLANs by transmitting Ethernet frames in the 802.1q encapsulation.
C. Configuring an interface with the “switchport mode dynamic” command will prevent VLAN hopping.
D. An end station attempts to redirect VLAN traffic by transmitting Ethernet frames in the 802.1q encapsulation.
E. Configuring an interface with the “switchport mode access” command will prevent VLAN hopping.
Answer: B E
Explanation
Please read the explanation of Question 1.
Question 4
When an attacker is using switch spoofing to perform VLAN hopping, how is the attacker able to gather information?
A. The attacking station uses DTP to negotiate trunking with a switch port and captures all traffic that is allowed on the trunk.
B. The attacking station tags itself with all usable VLANs to capture data that is passed through the switch, regardless of the VLAN to which the data belongs.
C. The attacking station will generate frames with two 802.1Q headers to cause the switch to forward the frames to a VLAN that would be inaccessible to the attacker through legitimate means.
D. The attacking station uses VTP to collect VLAN information that is sent out and then tags itself with the domain information in order to capture the data.
Answer: A
Explanation
Please read the explanation of Question 1.
@ certprepare:
First of all a sincere “Thank you!” for all the work you put in these sites. I think they’re some of the best resources to test yourself against, before going for certification.
Concerning Q#3, I have a slightly different perspective.
Answer B) is only partially correct, and if that, only by extension. It presumably refers to the “switch spoofing” attack (unless I’m missing something) but it describes what will happen AFTER the attack was already successful (i.e. after establishing a trunk with a port left in “dynamic auto” mode).
Nonetheless, it uses the terms “it attempts to gain access to all VLANs by transmitting Ethernet frames in the 802.1q” as if that was the essence of the “switch spoofing” attack, which is not. The main point of that attack (as you described it on top of the page) is sending DTP frames (which are Cisco proprietary and not part of 802.1q) and negotiating a trunk and that comes BEFORE sending 802.1q frames. From there on, the rest is normal behavior on behalf of the attacked switch.
OTOH I consider answer D) a more valid answer than B). It talks about the “double-tagging” attack which indeed tries to redirect traffic from one VLAN (the native) towards another one. And this one, indeed uses 802.1q frames to do that.
Answer E) is only partially true, since that command protects only against “switch spoofing” attacks but is not a sufficient measure (only by itself) to protect against a “double-tagging” attack, in case that very port is put on the native VLAN.
So, as a final conclusion, answer D) should definitely by part of the chosen answers.
B) and E) are both not 100% accurate.
I lean more towards D & E but B & D may still be a valid choice, depending on what the author of the question was thinking when s/he wrote the answers.
This is one murky question.
Question 3: answers B and D – are similar
The key is in the answers–> either redirect or gain access. The whole point of VLAN tagging is to gain access. Which is done by double tagging (double-encapsulated 802.1Q packets).
So B is correct.
Answer E keeps the port from becoming a trunk port which prevents trunk encapsulation
SO B and E are correct
@ BC:
For Q3 again..
I have another opinion concerning answer B. An end station attempts to gain access to all VLANs by transmitting Ethernet frames in the 802.1q encapsulation.
Actually by sending 802.1Q user can not have access to ALL VLANS together, but only one depending on the Vlan tag it will send.
So i think gaining access to all VLANs will be through negotiating Trunk via DTP not by 802.1q
Answer D: An end station attempts to redirect VLAN traffic by transmitting Ethernet frames in the 802.1q encapsulation.
which talk about dual tagging
So i would go for B and not D…
Any other opinions?
If you understand double tagging and DTP (Dynamic Trunking Protocol) and its negotiate feature, you will be fine.Doing certs wont find you a job so dont get stuck with wording, try to fully undertand the concept
Thanks to all
Do you want to pass your CCNA or CCNP exams in first attempt?
Well we have 100% latest and proven fresh dumps for you.
We gurantee your passing score and we can prove that we have the most current dumps with us
Special Offer:-We will provide you with dumps updates for 3 months.
Price :- 10$
For more details, Please email us at dumpsmania@hotmail.com
Hi Guys,
Seeing the answer right in front your eyes before making selection is annoying. So i grabs all of the questions on this site and put them into VCE file to make my life easier. Be sure to check back CertPrepare site regularly for updates.
Here is the file: http://www.4shared.com/file/C5hmKPbb/CCNP_642-813_CertPrepare-by_Hu.html
Best of luck !!!
Great!
If answer in Q3 is B , why in question 4 is not C???
MEandMyMonkey, because C is more abt Double Tagging, not spoofing – although both are methods of VLAN hopping.
Q3 . B and E are perfectly correct , vlan hopping is all about end station gaining access , why would it redirect ? no it will not . it encapsulates into 802.1q to transmit its frames .
cliftonb12345 – gets error (You have no access to Folder Flash Content (http://www.certprepare.com/final_flash). Visit order page to order additional subscriptions.)
But (SWITCH Membership – expires 02/08/13) still valid.
Also loss two days access while site was down.
Certprepare please fix. – Thank you.
@Access Denied to Flash link: Yes, the problem has been fixed. We are very sorry for the inconvenience we caused.
Nothing from this section in test today.
Cisco for life son! Ya dawg.