AP Cybersecurity Unit 3 Lesson 4 Lab
Unit 3 • 3.4 • Lab
Lab — Operation Firewall Jumper: VLAN Breach Investigation
6 steps, 30 points — Mixed formats: matching, fill-blank, select-all, MCQ, and written analysis
Score: 0 / 30Each step uses a different assessment format
Investigation Target
Harborview Regional Bank
Despite deploying VLANs (Teller VLAN 10, Back Office VLAN 20, ATM VLAN 30, Guest VLAN 40), an attacker on the Guest VLAN accessed the ATM management system. Your investigation traces how VLAN hopping via a misconfigured trunk port bypassed the segmentation architecture.
Step 1Matching
Classify VLAN Functions
Match each VLAN to the type of traffic it should carry.
✎ Think first: Each VLAN isolates a specific device group with specific security requirements.
VLAN 10: Card transaction processing between teller terminals and payment gateway
→
VLAN 30: Firmware updates and configuration commands to 150 ATMs
→
VLAN 40: Visitor web browsing with no access to internal resources
→
VLAN 10 = Teller (PCI-DSS card transactions). VLAN 30 = ATM (firmware and configuration — critical infrastructure). VLAN 40 = Guest (untrusted, internet-only, zero internal access).
Exam Tip: VLANs group devices by trust level and data sensitivity. The most sensitive traffic (card processing, ATM management) gets the strongest isolation. Guest traffic gets the least trust.
Step 2Fill in the Blank
Complete the Attack Technique Description
Fill in the correct network term for each blank.
✎ Think first: The attacker exploited a port configuration error to cross VLAN boundaries.
Switch port Gi0/24 in the lobby was misconfigured as a port instead of an access port, carrying tagged traffic for all VLANs.
The attacker sent frames with 802.1Q tags for VLAN 30. This technique is called VLAN .
The ATM management console at 10.30.1.50 used default credentials: admin/.
The inter-VLAN firewall did not block the access because the attacker’s tagged frames made traffic appear as traffic within VLAN 30.
The fix: configure all user-facing ports as ports with a single VLAN assignment.
Answers: (1) trunk. (2) hopping. (3) admin (default password). (4) intra-VLAN. (5) access.
Exam Tip: VLAN hopping prevention: disable DTP on all user ports, set all user ports to access mode, and never leave trunk ports on user-facing jacks. Default credentials on management consoles are a separate but equally critical failure.
Step 3Select All That Apply
Identify All Required Fixes
Select ALL fixes needed to prevent this specific attack from recurring.
✎ Think first: The attack chain had multiple steps. Each step needs its own fix.
Correct: Access ports (A), disable DTP (B), change credentials (C), BPDU Guard (D). Wrong: Removing VLANs (E) eliminates segmentation entirely. Blocking all guest access (F) is disproportionate — the issue was the trunk port, not the guest network itself.
Exam Tip: Each fix addresses a different link: access ports prevent trunk exploitation, DTP disabling prevents negotiation, credential changes block console access, BPDU Guard auto-disables suspicious ports.
Step 4Multiple Choice
Determine Why the Firewall Did Not Help
The inter-VLAN firewall had rules blocking Guest (VLAN 40) from reaching ATM (VLAN 30). Why did it NOT stop this attack?
✎ Predict first: The attacker’s frames were tagged with VLAN 30, not VLAN 40. What does the firewall see?
B is correct. Because the attacker’s frames were tagged VLAN 30, the switch placed them on the ATM VLAN. The traffic appeared to originate from within VLAN 30 — intra-VLAN traffic that never crosses a VLAN boundary and therefore never passes through the inter-VLAN firewall.
Exam Tip: Inter-VLAN firewalls only see traffic CROSSING between VLANs. VLAN hopping places the attacker INSIDE the target VLAN, bypassing the firewall entirely. This is why port-level controls (access mode, DTP disabled) are essential.
Step 5Analysis
Assess the Containment
Once on VLAN 30, the attacker accessed the ATM management console with admin/admin. From there, they could modify ATM dispensing limits, install malicious firmware, or disable encryption.
5a. Select the most dangerous capability the attacker gained:
5b. Explain what the attacker could do with ATM management access and why default credentials made this possible.
Key terms: firmware, malware, card data, skim, dispense, limit, encrypt, disable, default, admin, change, credential, never, first
B is correct. Full management access = control over firmware (install card-skimming malware), dispensing limits (authorize fraudulent withdrawals), and encryption (disable cardholder data protection). Default credentials: admin/admin should have been changed during initial deployment. Default passwords are the first thing attackers try — they are published in product manuals.
Exam Tip: Default credentials on management consoles are equivalent to leaving the front door unlocked. Step 1 of any deployment: change ALL default passwords before the device goes live.
Step 6Written Response
Write the Port Hardening Standard
Write a switch port hardening standard that Harborview should apply to all user-facing ports across every branch. Include at least 4 specific configuration requirements.
Key terms: access mode, DTP, disable, BPDU Guard, port security, MAC, limit, unused, shutdown, VLAN, assign, trunk, never, user-facing
Model: 1: All user-facing ports configured as access mode with explicit VLAN assignment — no trunk mode on any user port. 2: DTP disabled on all access ports — prevents dynamic trunk negotiation. 3: BPDU Guard enabled — auto-disables any port receiving trunk negotiation or spanning tree frames. 4: Port security limiting to 1-2 MAC addresses per port — prevents unauthorized device connections. 5: All unused ports administratively shut down — eliminates attack surface from idle jacks.
Exam Tip: Port hardening is a one-time configuration applied to all switches. Without it, every user-facing port is a potential VLAN hopping entry point. This standard should be part of every switch deployment checklist.
AP Cybersecurity 3.4 Lab | APCSExamPrep.com | Built by Tanner Crow, AP CS Teacher (11+ years)
AP® is a registered trademark of the College Board.
AP® is a registered trademark of the College Board.
Get in Touch
Whether you're a student, parent, or teacher — I'd love to hear from you.
Just want free AP CS resources?
Enter your email below and check the subscribe box — no message needed. Students get daily practice questions and study tips. Teachers get curriculum resources and teaching strategies.
Typically responds within 24 hours
✓
Message Sent!
Thanks for reaching out. I'll get back to you within 24 hours.
Prefer email? Reach me directly at [email protected]