Skip to content

Common Layer 2 Threats

Common Layer 2 Threats and How to Mitigate Them

Everything at Layer 3 and higher is encapsulated into some type of Layer 2 frame. If the attacker can interrupt, copy, redirect, or confuse the Layer 2 forwarding of data, that same attacker can also disrupt any type of upper-layer protocols that are being used.

Layer 2 Best Practices

  • Select an unused VLAN (other than VLAN 1) and use that for the native VLAN for all your trunks. Do not use this native VLAN for any of your enabled access ports.

  • Avoid using VLAN 1 anywhere, because it is a default

  • Administratively configure access ports as access ports so that users cannot negotiate a trunk and disable the negotiation of trunking (no Dynamic Trunking Protocol [DTP])

  • Limit the number of MAC addresses learned on a given port with the port security feature

  • Control spanning tree to stop users or unknown devices from manipulating spanning tree. You can do so by using the BPDU Guard and Root Guard features

  • Turn off Cisco Discovery Protocol (CDP) on ports facing untrusted or unknown networks that do not require CDP for anything positive

  • On a new switch, shut down all ports and assign them to a VLAN that is not used for anything else other than a parking lot. Then bring up the ports and assign correct VLANs as the ports are allocated and needed

Set a port in access mode

SW2(config)# interface fa0/2

SW2(config-if)# switchport mode access

SW2(config-if)# switchport access VLAN 10

SW2(config-if)# switchport nonegotiate – disable the ability to negotiate

Set a port in trunk mode

SW2(config-if)# interface fa 0/23

SW2(config-if)# switchport trunk encapsulation dot1q

SW2(config-if)# switchport mode trunk

SW2(config-if)# switchport trunk native vlan 3 – change native VLAN

SW2(config-if)# switchport nonegotiate - Disables the ability to negotiate

Do Not Allow Negotiations

A user with a trunk established could perform “VLAN hopping” to any VLAN he desired by just tagging frames with the VLAN of choice.

  • Port security: Limits the number of MAC addresses to be learned on an access switch port

  • BPDU Guard: If BPDUs (any type) show up where they should not, the switch protects itself

  • Root Guard: Controls which ports are not allowed to become root ports to remote root switches

  • Dynamic ARP inspection: Prevents spoofing of Layer 2 information by hosts

  • IP Source Guard: Prevents spoofing of Layer 3 information by hosts

  • 802.1X: Authenticates users before allowing their data frames into the network

  • DHCP snooping: Prevents rogue DHCP servers from impacting the network

  • Storm control: Limits the amount of broadcast or multicast traffic flowing through the switch

  • Access control lists: Traffic control to enforce policy

BPDU Guard

When you enable BPDU Guard, a switch port that was forwarding stops and disables the port if any BPDUs are seen inbound on the port.

SW2(config-if)# interface fa 0/2

SW2(config-if)# spanning-tree bpduguard enable

To automatically recover port

SW2(config)# errdisable recovery cause bpduguard

SW2(config)# errdisable recovery interval 30

SW2# show errdisable recovery

Root Guard

Your switch might be connected to other switches that you do not manage. If you want to prevent your local switch from learning about a new root switch through one of its local ports, you can configure Root Guard on that port.

SW1(config)# interface fa 0/24

SW1(config-if)# spanning-tree guard root

Port Security

Port security controls how many MAC addresses can be learned on a single switch port.

SW2(config-if)# interface fa 0/2

SW2(config-if)# switchport port-security

SW2(config-if)# switchport port-security maximum 5

SW2(config-if)# switchport port-security violation protect

SW2(config-if)# switchport port-security mac-address sticky

SW2# show port-security

SW2# show port-security interface fa0/2

Excellent summary list. I would also recommend the following additional steps:

Parking VLAN - A shutdown VLAN that should be assigned to any unsused access ports. Should be different from the native VLAN and make it a private VLAN as well. This helps prevent against mis-configurations where someone is bringing up a newly connected interface.

VTP - Always ensure there is a password configured on VTP, even when in transparent mode. Again, this helps avoid problems due to mis-configuration.

CDP - Unless you use Cisco IP phone, CDP can be disabled on all access interfaces. Unless you really use it, you can probably disbale it globally in general, really depends on how well documented your network is.