Chapter 8: Securing Layer 2 Technologies

I. Foundation Topics
II. VLAN and Trunking Fundamentals
1.
2.
3.
4.
5.
6.
7.
8.

What Is a VLAN?
Trunking with 802.1Q
Following the Frame, Step by Step
The Native VLAN on a Trunk
So, What Do You Want to Be? (Says the Port)
Inter-VLAN Routing
The Challenge of Using Physical Interfaces Only
Using Virtual Sub Interfaces

III. Spanning-Tree Fundamentals

1.
2.
3.
4.
5.

Loops in Networks Are Usually Bad

The Life of a Loop
The Solution to the Layer 2 Loop
STP Is Wary of New Ports
Improving the Time Until Forwarding

IV. Common Layer 2 Threats and How to Mitigate Them

1. Disrupt the Bottom of the Wall, and the Top Is Disrupted, Too
2. Layer 2 Best Practices
1. Best practices vis-a-vis the following
a. Select an unused VLAN (other than VLAN1) and use that for the native VLAN
for all your trunks
b. Avoid using VLAN1 anywhere, because it is a default
c. Administratively configure access ports as access ports so that users cannot
negotiate a trunk and disable the negotiation of trunking (no Dynamic Trunking
Protocol [DTP])
d. Limit the number of MAC addresses learned on a given port with the port
security feature
e. Control spanning tree to stop users or unknown devices from manipulating
spanning-tree. You can do so by using the BPDU guard and root guard features
f. Turn off CDP on ports facing untrusted or unknown networks that do not require
CDP for anything positive. (CDP operates at Layer 2 and may provide attackers
information we would rather not disclose.)
g. On a new switch, shut down all ports and assign them to a VLAN that is not used
for anything else other than a parking lot. Then bring up the ports and assign
correct VLANs as the ports are allocated and needed.

3. Do Not Allow Negotiations

1. Configuring a switchport for access and nonegotiate removes the risk of an attacker
from negotiating a trunk and VLAN hopping.

4. Layer 2 Security Toolkit

1. f
Table 8-2 Tool Kit for L2 Security
Tool
Description
Port Security

Limits the number of MAC addresses to be learned on an access switch port, as

covered later in this chapter

BPDU guard

If BPDUs show up where they should not, the switch protects itself, as covered in
this chapter

Root guard

Controls which ports are not allowed to become root ports to remote root
switches

Dynamic ARP
inspection

Prevents spoofing of Layer 2 information by hosts

IP source guard

Prevents spoofing of Layer 3 information by hosts

802.1x

Authenticates users before allowing their data frames into the network

DHCP snooping

Prevents rogue DHCP servers from impacting the network

Storm control

Limits the amount of broadcast or multicast traffic flowing through the switch

Access control lists Traffic control to enforce policy. Access control is covered in another chapter
2. f

5.
6.
7.
8.

Specific Layer 2 Mitigation for CCNA Security

BPDU Guard
Root Guard
Port Security

V. Do I Know This Already? Quiz

Table 8-1 Do I Know This Already? Section-to-Question Mapping
Foundation Topics Section
Questions
VLAN and Trunking Fundamentals

1, 6-7

Spanning-Tree Fundamentals

Common Threats and How to Mitigate Them

3-5, 8-10

1. Which is the primary Layer 2 mechanism that allows multiple devices in the same
VLAN to communicate with each other even though those devices are physically
connected to different switches?
a. IP address
b. Default Gateway
c. Trunk
d. 802.1D

2. How does a switch know about parallel Layer 2 paths?

a. 802.1Q
b. BPDU
c. CDP
d. NTP
3. When implemented, which of the following helps prevent CAM table overflows?
a. 802.1w
b. BPDU guard
c. Root guard
d. Port security
4. Which of the following is not a best practice for security?
a. Leaving the native VLAN as VLAN 1
b. Shutting down all unused ports and placing them in an unused VLAN
c. Limiting the number of MAC addresses learned on a specific port
d. Disabling negotiation of switch port mode
5. What is the default number of MAC addresses allowed on a switch port that is
configured with port security?
a. 1
b. 5
c. 15
d. Depends on the switch model
6. Which two items normally have a one-to-one correlation?
a. VLANs
b. Classful IP networks
c. IP subnetworks
d. Number of switches
e. Number of routers
7. What is a typical method used by a device in one VLAN to reach another device in a
second VLAN?
a. ARP for the remote device's MAC address
b. Use a remote default gateway
c. Use a local default gateway
d. Use trunking on the PC
8. Which two configuration changes prevent users from jumping onto any VLAN they
choose to join?
a. Disabling negotiation of trunk ports
b. Use something else other than VLAN 1 as the native VLAN
c. Configuring the port connecting to the client as a trunk
d. Configuring the port connecting to the client as an access port
9. If you limit the number of MAC addresses learned on a port to five, what benefits do
you get from the port security feature? (Choose all that apply)
a. Protection for DHCP servers against starvation attacks
b. Protection against IP spoofing
c. Protection against VLAN hopping
d. Protection against MAC address spoofing
e. Protection against CAM table overflow attacks

10. Why should you implement root guard on a switch?

a. To prevent the switch from becoming the root
b. To prevent the switch from having any root ports
c. To prevent the switch from having specific root ports
d. To protect the switch against MAC address table overflows

VI. Review All the Key Topics

Table 8-3 Key Topics
Key Topic
Description
Element

Page
Number

Text

What is a VLAN? -

178

Example 8-1

Creating a new VLAN and placing switch ports into that VLAN -

179

Text

Trunking with 802.1Q -

180

Example 8-2

Configure Interfaces to be trunk ports -

180

Text

The native VLAN on a trunk -

181

Text

Inter VLAN routing -

182

Example 8-3

Configuring router on a stick and switch support for the router -

182

Example 8-5

Configuring PortFast, then Rapid Spanning Tree

188

List

Layer 2 best practices

189

Example 8-6

Administratively locking down switch ports

189

Table 8-2

Layer 2 security toolkit

190

Text

BPDU guard

191

Text

Root guard

192

Text

Port security

192

Example 8-10 Implementing port security

193

VII. Complete the Tables and Lists from Memory

Table 8-2 Tool Kit for L2 Security
Tool
Description
Port security

Limits the number of MAC addresses to be learned on an access switch

port.

BPDU guard

If BPDUs show up where they should not, the switch protects itself.

Root guard

Control which ports are not allowed to become root ports to remote
root switches.

Dynamic ARP
inspection

Prevents spoofing of Layer 2 information by hosts.

IP source guard Prevents spoofing of Layer 3 information by hosts.

802.1x

Authenticates users before allowing their data frames into the network.

DHCP snooping Prevents rogue DHCP servers from impacting the network.
Storm control

Limits the amount of broadcast or multicast traffic flowing through the

switch.

Access control
lists

Traffic control to enforce policy. Access control is covered in another chapter.

VIII.

Define Key Terms

1.
2.
3.
4.
5.
6.
7.
8.

access port trunk port inter-VLAN routing router on a stick STP root guard port security BPDU guard -

IX. Command Reference to Check Your Memory

Table 8-4 Command Reference
Command
Description
Switchport mode access

Assign a switch port as an access port

Switchport access vlan 10

Control the VLAN assignment for the device connecting to this port,
and associate that device with a single specific VLAN of 10

Show interface fa0/1

switchport

Verify the current configuration and operating status of a switch port

Switchport trunk
encapsulation dot1q

Specify the trunking encapsulation to be used, if doing trunking

Switchport mode trunk

Specify that this port should be a trunk

Switchport trunk native

vlan 3

Specify the native VLAN should be 3, if the port is acting as a trunk

port

Switchport nonegotiate

Disable negotiation between the switch and the device connected to the
device related to trunking

Spanning-tree bpduguard
enable

Protect the switch port against being connected on this port to another
device that is generating any type of BPDUs

Spanning-tree guard root

Protect this switch port against believing the root bridge is reachable
via this port

Switchport port-security

Protect the switch (on this port at least) against a MAC address table
flooding attack (CAM table overflow) and prevent a DHCP starvation
attack from being launched from the device connected to this point