Exam N10-008 topic 1 question 575 discussion

By changing the native VLAN, the attacker would not be able to deceive the switch by sending double tagging frame, because in that case the switch would drop the frame since its outer tag would have a VLAN ID (native VLAN ID) that is not the same as the access VLAN configured on the attacker port. Source: https://learningnetwork.cisco.com/s/blogs/a0D3i000002SKPREA4/vlan1-and-vlan-hopping-attack

A. Configure private VLANs. Private VLANs (PVLANs) segregate devices within the same VLAN, restricting their communication to enhance network security and isolation. To address concerns about VLAN hopping, configuring private VLANs (PVLANs) is an effective security measure. PVLANs restrict communication between devices within the same VLAN, preventing one device from "hopping" to another device's traffic within the same VLAN.

Private VLANs were designed to mitigate these attacks, changing the default VLAN is a good practice but this seems more secure.

Default and Native VLAN are not the same. Default VLAN is VLAN 1 and that can't be changed.

Double Tagging can only be exploited on switch ports configured to use native VLANs.[2]: 162  Trunk ports configured with a native VLAN don't apply a VLAN tag when sending these frames. This allows an attacker's fake VLAN tag to be read by the next switch. So its B. Change the Native/Default VLAN

Changing default VLAN means default attacks won't happen.

if the admin is worried about vlan hopping, private vland have already been configured. B

The question is about vlan hopping, not communication within vlans. PVLANS segregate devices within a VLAN. This is not the threat vector the question is asking about. Option B is correct.

option D

A. Configure private VLANs. Private VLANs (PVLANs) are designed to enhance security by isolating ports within the same VLAN from each other, thus preventing VLAN hopping attacks. This configuration restricts communication between devices within the same VLAN, reducing the risk of unauthorized access or interference.

D. Enable dynamic ARP inspection. Dynamic ARP Inspection (DAI) is a security feature that helps prevent ARP spoofing attacks and VLAN hopping. VLAN hopping occurs when an attacker sends frames from one VLAN to another VLAN, exploiting the lack of proper VLAN separation. Dynamic ARP Inspection helps mitigate VLAN hopping by inspecting ARP packets and ensuring that ARP requests and responses are valid within the associated VLANs. It builds a binding table that maps IP addresses to MAC addresses and VLANs, and it drops ARP packets that are inconsistent with this table. While other options like configuring private VLANs (Option A), changing the default VLAN (Option B), and implementing ACLs (Option C) can contribute to network security, they may not specifically address VLAN hopping concerns. Enabling dynamic ARP inspection is a more targeted solution for preventing this specific type of attack.

ChatGPT says A

D. Enable dynamic ARP inspection. Dynamic ARP inspection (DAI) is a security feature that can help address VLAN hopping concerns. VLAN hopping occurs when an attacker sends packets with a false VLAN ID to gain unauthorized access to frames belonging to a different VLAN. By enabling dynamic ARP inspection, the network switches can validate ARP packets to ensure that the source MAC address and IP address match. If an ARP reply is received on an interface belonging to a different VLAN than what is expected, the switch can drop or block the packet, thus preventing potential VLAN hopping attacks.