Layer 2 methods (network segmentation using VLANs; Layer 2 and port security; DHCP snooping; Dynamic ARP inspection; storm control; PVLANs to segregate network traffic; and defenses against MAC, ARP, VLAN hopping, STP, and DHCP rogue attacks)

2.4 Configure and verify network infrastructure security methods

📘CompTIA Security+ (SY0-701)

Layer 2 (Data Link Layer) security focuses on protecting switching infrastructure.
Most attacks inside an organization happen at Layer 2, especially when attackers are already connected to the internal network.

Cisco includes many Layer 2 protection features to stop common internal attacks such as:

  • MAC address attacks
  • ARP spoofing
  • DHCP rogue servers
  • VLAN hopping
  • STP manipulation
  • Broadcast storms

Why Layer 2 Security Is Important

  • Layer 2 devices (switches) trust everything by default
  • No authentication is required at this layer
  • Internal users can launch attacks if Layer 2 is not secured
  • These attacks can bypass firewalls and IPS devices

The goal of Layer 2 security is to:

  • Control who can connect
  • Limit what each device can do
  • Stop internal network attacks

1. Network Segmentation Using VLANs

What Is a VLAN?

A VLAN (Virtual Local Area Network) is a logical separation of devices on a switch.

Devices in different VLANs:

  • Cannot communicate directly
  • Are separated into different broadcast domains

Why VLANs Improve Security

  • Limits network visibility
  • Reduces broadcast traffic
  • Prevents unauthorized access between groups

Common VLAN Use in IT Networks

  • User VLANs
  • Server VLANs
  • Management VLANs
  • Voice VLANs
  • Guest VLANs

Security Benefit

If a device in one VLAN is compromised:

  • It cannot directly attack devices in other VLANs
  • Traffic must pass through Layer 3 controls (ACLs, firewalls)

2. Layer 2 Port Security

What Is Port Security?

Port security controls which MAC addresses are allowed on a switch port.

Why Port Security Is Needed

Without port security:

  • A switch port allows unlimited MAC addresses
  • Attackers can flood the switch with fake MAC addresses
  • This can cause CAM table overflow attacks

Port Security Capabilities

Port security can:

  • Limit number of MAC addresses per port
  • Allow only specific MAC addresses
  • Take action when a violation occurs

Port Security Violation Modes

  1. Protect
    • Drops traffic from unknown MAC addresses
    • No alert is generated
  2. Restrict
    • Drops traffic
    • Logs a violation
    • Increments a counter
  3. Shutdown
    • Puts the port into error-disabled state
    • Most secure option
    • Requires manual or automatic recovery

Security Benefit

  • Prevents MAC flooding attacks
  • Stops unauthorized devices
  • Controls device access per port

3. DHCP Snooping

What Is DHCP Snooping?

DHCP snooping is a Layer 2 security feature that:

  • Filters DHCP messages
  • Allows DHCP responses only from trusted sources

The Problem: Rogue DHCP Servers

A rogue DHCP server can:

  • Assign incorrect IP addresses
  • Provide malicious default gateway or DNS
  • Redirect traffic to attackers

How DHCP Snooping Works

  • Switch classifies ports as trusted or untrusted
  • DHCP server ports are trusted
  • Client ports are untrusted

What DHCP Snooping Does

  • Allows DHCP offers only from trusted ports
  • Drops DHCP offers from untrusted ports
  • Builds a DHCP binding table

The binding table contains:

  • MAC address
  • IP address
  • VLAN
  • Port number
  • Lease time

Security Benefit

  • Prevents rogue DHCP servers
  • Ensures valid IP address assignments
  • Enables other security features (DAI, IP Source Guard)

4. Dynamic ARP Inspection (DAI)

What Is ARP?

ARP maps:

  • IP address → MAC address

The Problem: ARP Spoofing

Attackers can:

  • Send fake ARP replies
  • Associate their MAC with another device’s IP
  • Perform man-in-the-middle attacks

What Is Dynamic ARP Inspection?

DAI:

  • Validates ARP packets
  • Blocks invalid or malicious ARP messages

How DAI Works

  • Uses the DHCP snooping binding table
  • Checks ARP packets against known IP-MAC mappings
  • Drops ARP packets that do not match

Trusted vs Untrusted Ports

  • Trusted ports: uplinks, routers
  • Untrusted ports: user access ports

Security Benefit

  • Prevents ARP spoofing
  • Stops man-in-the-middle attacks
  • Protects IP-to-MAC integrity

5. Storm Control

What Is a Network Storm?

A storm occurs when excessive traffic overwhelms the network:

  • Broadcast storms
  • Multicast storms
  • Unknown unicast storms

Causes of Storms

  • Misconfigured devices
  • Loops
  • Malware-infected systems

What Is Storm Control?

Storm control:

  • Limits the amount of broadcast, multicast, or unknown unicast traffic on a port

How Storm Control Works

  • Traffic thresholds are configured
  • If traffic exceeds threshold:
    • Traffic is dropped
    • Port may be shut down (optional)

Security Benefit

  • Prevents network outages
  • Protects switch CPU and bandwidth
  • Limits damage from compromised hosts

6. Private VLANs (PVLANs)

What Are Private VLANs?

PVLANs allow further segmentation within a single VLAN.

Why PVLANs Are Needed

Devices may:

  • Be in the same VLAN
  • But should not communicate with each other

Common in:

  • Server farms
  • DMZ environments
  • Shared hosting environments

PVLAN Types

  1. Primary VLAN
    • Main VLAN
    • Carries traffic to routers or firewalls
  2. Isolated VLAN
    • Devices cannot talk to each other
    • Can only talk to the primary VLAN
  3. Community VLAN
    • Devices can talk within the same community
    • Cannot talk to other communities

Security Benefit

  • Prevents lateral movement
  • Limits internal attacks
  • Reduces attack surface

7. Defenses Against Common Layer 2 Attacks

A. MAC Address Attacks

Attack Type:

  • MAC flooding
  • CAM table overflow

Defense:

  • Port security
  • MAC address limits

B. ARP Attacks

Attack Type:

  • ARP spoofing
  • ARP poisoning

Defense:

  • Dynamic ARP Inspection
  • DHCP snooping

C. VLAN Hopping Attacks

Attack Type:

  • Switch spoofing
  • Double tagging

Defense:

  • Disable unused ports
  • Use access mode on user ports
  • Disable DTP
  • Use native VLAN carefully

D. STP Attacks

Attack Type:

  • Root bridge manipulation
  • Topology changes

Defense:

  • BPDU Guard
  • Root Guard
  • Loop Guard

E. Rogue DHCP Attacks

Attack Type:

  • Fake DHCP servers
  • Malicious IP assignment

Defense:

  • DHCP snooping
  • Trusted/untrusted ports

Key Exam Points to Remember

  • VLANs provide logical segmentation
  • Port security controls MAC addresses
  • DHCP snooping protects IP assignment
  • DAI prevents ARP spoofing
  • Storm control limits excessive traffic
  • PVLANs isolate devices within the same VLAN
  • Most Layer 2 attacks happen internally
  • DHCP snooping is required for DAI to work

Summary

Layer 2 security methods are critical for internal network protection.
They stop attacks before traffic reaches firewalls or IPS systems.

For the 350-701 exam, you must understand:

  • What each feature does
  • Which attack it prevents
  • How features work together
Buy Me a Coffee

Powered by
Necessary cookies enable essential site features like secure log-ins and consent preference adjustments. They do not store personal data.
None
Functional cookies support features like content sharing on social media, collecting feedback, and enabling third-party tools.
None
Analytical cookies track visitor interactions, providing insights on metrics like visitor count, bounce rate, and traffic sources.
None
Advertisement cookies deliver personalized ads based on your previous visits and analyze the effectiveness of ad campaigns.
None
Powered by