1. Layer 2
Layer 2, also known as the Data Link Layer in the OSI (Open Systems Interconnection) model, is responsible for node-to-node communication over a physical network. It handles the physical addressing, access control, and error detection to ensure reliable data transfer across a local network segment (such as a LAN).
The main functions of Layer 2 include framing, addressing, error detection, and flow control. It ensures data is correctly formatted for transmission over the physical medium and regulates access to the shared medium to avoid collisions and data loss.
1.1 Key Responsibilities of Layer 2
The core responsibilities of Layer 2 can be categorized into the following functions:
1.1.1 Framing
Data from the upper layers (Layer 3 and above) is encapsulated into frames. A frame is a structured unit of data that includes the original data, along with Layer 2 headers and trailers that contain essential information like source and destination MAC addresses, error-checking mechanisms, etc.
1.1.2 Physical Addressing
Layer 2 uses MAC (Media Access Control) addresses to identify devices on the same local network. Each network device is assigned a unique MAC address, which Layer 2 uses to route frames to the correct destination within the local network.
1.1.3 Error Detection
Layer 2 employs error-detection techniques, such as Frame Check Sequence (FCS), to ensure the integrity of the data being transmitted. FCS detects errors in transmitted frames but does not correct them; corrupted frames are discarded.
1.1.4 Flow Control
Flow control mechanisms, such as pause frames in Ethernet, ensure that the sender does not overwhelm the receiver with more data than it can process, preventing data loss due to congestion.
1.1.5 Media Access Control (MAC)
MAC is a sublayer of Layer 2 that regulates how devices on the network gain access to the shared physical medium. It helps avoid collisions by managing how multiple devices transmit data over the same medium. Common access control methods include CSMA/CD (Carrier Sense Multiple Access with Collision Detection) used in Ethernet.
1.2 Sublayers of Layer 2
Layer 2 is divided into two sublayers that have distinct roles in managing data transmission:
1.2.1 Logical Link Control (LLC) Sublayer
The LLC sublayer is responsible for establishing and maintaining logical links between devices. It provides error detection and flow control services and interacts with the upper layers of the OSI model, particularly Layer 3 (Network Layer).
1.2.2 Media Access Control (MAC) Sublayer
The MAC sublayer manages access to the physical transmission medium. It determines how devices access the network and transmit data without collisions. It is directly responsible for addressing (using MAC addresses) and framing.
1.3 Layer 2 Devices
Layer 2 devices operate primarily at the Data Link Layer, managing the transfer of frames between devices. These devices include:
- Switches: Layer 2 switches forward frames based on MAC addresses. They use MAC address tables to decide how to forward or filter frames within a LAN, making them essential for creating and managing LANs.
- Bridges: Bridges segment a network to reduce collision domains and improve performance. They also use MAC addresses to forward frames between different network segments.
1.4 Layer 2 Protocols
Several protocols operate at Layer 2, facilitating node-to-node communication and network management:
- Ethernet: The most common Layer 2 protocol, used for wired connections within LANs. Ethernet defines frame structure, MAC addressing, and methods for accessing the shared medium.
- PPP (Point-to-Point Protocol): Used to establish a direct connection between two nodes, typically over serial links.
- HDLC (High-Level Data Link Control): A Layer 2 protocol used for synchronous data transmission over point-to-point links.
- Spanning Tree Protocol (STP): A Layer 2 protocol that prevents loops in networks with redundant paths by creating a loop-free logical topology.
1.5 Layer 2 Addressing: MAC Addresses
MAC addresses are 48-bit unique identifiers assigned to network interfaces. They consist of two parts:
- Organizationally Unique Identifier (OUI): The first 24 bits, identifying the manufacturer.
- Device Identifier: The last 24 bits, uniquely identifying the device within the manufacturer’s product range.
MAC addresses are used to ensure that frames are delivered to the correct device on the local network.
1.6 Layer 2 Security
Layer 2 introduces several vulnerabilities, such as MAC flooding, ARP spoofing, and VLAN hopping. To mitigate these risks, the following security features are implemented:
- Port Security: Limits the number of MAC addresses learned on a switch port.
- DHCP Snooping: Prevents unauthorized DHCP servers from assigning IP addresses.
- Dynamic ARP Inspection (DAI): Protects against ARP spoofing by validating ARP packets against a trusted database.
- Storm Control: Protects the network from broadcast storms by limiting broadcast, multicast, and unknown unicast traffic.
2. Layer 2 Security Features
Layer 2 security is essential to protect against various threats that exploit vulnerabilities in the Data Link Layer. While we have already discussed features like DHCP Snooping, Dynamic ARP Inspection (DAI), and Port Security, there are additional Layer 2 security features that play a vital role in securing the network.
2.1 Private VLANs (PVLANs)
Private VLANs (PVLANs) are an extension of traditional VLANs, designed to provide isolation between devices at Layer 2 within the same VLAN. PVLANs are useful in environments where devices need to communicate with a common resource (like a router) but must remain isolated from one another for security reasons, such as in hosting environments.
2.1.1 Types of Private VLANs
- Primary VLAN: The main VLAN where traffic is directed.
- Community VLAN: Devices within a community VLAN can communicate with each other but are isolated from devices in other VLANs.
- Isolated VLAN: Devices in an isolated VLAN can only communicate with the gateway and not with each other or other devices.
# Configure a Private VLAN
Switch(config)# vlan [primary-vlan-id]
Switch(config-vlan)# private-vlan primary
Switch(config)# vlan [isolated-vlan-id]
Switch(config-vlan)# private-vlan isolated
Switch(config)# vlan [community-vlan-id]
Switch(config-vlan)# private-vlan community
# Associate isolated or community VLAN with the primary VLAN
Switch(config-vlan)# private-vlan association [isolated-vlan-id, community-vlan-id]
2.2 Storm Control
Storm Control protects against broadcast, multicast, or unknown unicast traffic storms that can overwhelm network resources. Traffic storms can occur when an excessive amount of broadcast or multicast traffic is generated, often due to misconfigurations or attacks, leading to network congestion.
Storm Control limits the rate at which broadcast, multicast, or unknown unicast packets are allowed on the network, ensuring that the traffic does not exceed a predefined threshold.
# Configure Storm Control
Switch(config-if)# storm-control broadcast level [level]
Switch(config-if)# storm-control multicast level [level]
Switch(config-if)# storm-control unicast level [level]
2.3 BPDU Guard
BPDU Guard is a Layer 2 security feature that protects against Spanning Tree Protocol (STP) attacks. STP is responsible for preventing Layer 2 loops, but an attacker could potentially inject Bridge Protocol Data Units (BPDUs) to manipulate the spanning-tree topology.
BPDU Guard is applied to ports that should never receive BPDUs, typically access ports. If a BPDU is received on a port with BPDU Guard enabled, the port is immediately placed into an error-disabled (shut down) state, protecting the network from STP manipulation.
# Enable BPDU Guard globally
Switch(config)# spanning-tree portfast bpduguard default
# Enable BPDU Guard on an interface
Switch(config-if)# spanning-tree bpduguard enable
2.4 Root Guard
Root Guard prevents unauthorized switches from becoming the root bridge in a spanning tree topology. In STP, the root bridge is a key switch that controls the topology of the network. If a rogue device sends superior BPDUs (claiming it should be the root), it could disrupt the network’s topology.
Root Guard is applied to switch ports that should never become root bridge candidates. If a superior BPDU is received on a Root Guard-enabled port, the port is placed into a “root-inconsistent” state, effectively preventing it from influencing the root election process.
# Enable Root Guard on an interface
Switch(config-if)# spanning-tree guard root
2.5 IP Source Guard
IP Source Guard is a Layer 2 security feature that prevents IP address spoofing by filtering traffic based on IP-to-MAC address bindings. It works in conjunction with DHCP Snooping and the DHCP binding table to validate that packets are coming from legitimate sources.
IP Source Guard can be configured to drop traffic that does not match the known IP-MAC binding, protecting the network from malicious users who attempt to spoof their IP address to gain unauthorized access.
# Enable IP Source Guard on an interface
Switch(config-if)# ip verify source
2.6 VLAN Access Control Lists (VACLs)
VLAN Access Control Lists (VACLs) provide Layer 2 filtering within a VLAN. VACLs allow administrators to define specific policies that filter or permit traffic based on Layer 2 and Layer 3 parameters such as MAC addresses, IP addresses, or protocol types.
Unlike traditional ACLs, which operate at Layer 3, VACLs work at Layer 2 and can be used to restrict traffic flows within a VLAN, ensuring tighter control over what traffic is allowed to pass through specific VLANs.
# Define a VACL
Switch(config)# access-list 100 permit ip any any
Switch(config)# vlan access-map MyVACL 10
Switch(config-access-map)# match ip address 100
Switch(config-access-map)# action forward
# Apply the VACL to a VLAN
Switch(config)# vlan filter MyVACL vlan-list [vlan-id]
3. DHCP Snooping
DHCP Snooping is a security feature in Layer 2 networks that prevents unauthorized or rogue DHCP servers from providing IP addresses to clients. This feature ensures that only DHCP offers from trusted sources are accepted, protecting the network from various attacks such as IP address spoofing and DHCP starvation attacks.
3.1 Why DHCP Snooping is Needed
Without DHCP Snooping, a rogue DHCP server could assign incorrect IP addresses or network configurations to clients, leading to network disruptions or facilitating malicious attacks. DHCP Snooping mitigates these risks by filtering DHCP messages based on the trust level of the ports.
- Prevent IP spoofing: Ensures devices receive IP addresses only from legitimate DHCP servers.
- Block rogue servers: Stops unauthorized DHCP servers from assigning IP addresses.
- Mitigate DHCP starvation: Protects the DHCP pool from being exhausted by malicious devices.
3.2 How DHCP Snooping Works
DHCP Snooping works by classifying switch ports into two categories:
- Trusted ports: Ports connected to legitimate DHCP servers, allowed to send DHCP messages.
- Untrusted ports: Ports connected to client devices or unauthorized DHCP servers, restricted from sending DHCP offers.
When DHCP Snooping is enabled, the switch inspects DHCP traffic and permits or denies messages based on port trust levels. It also builds a binding table, which maps IP addresses to MAC addresses and VLANs, enabling further protection mechanisms like Dynamic ARP Inspection (DAI).
3.3 Configuring DHCP Snooping
The configuration involves defining trusted and untrusted ports, enabling DHCP snooping on the relevant VLANs, and setting rate limits to prevent DHCP starvation attacks.
# Enable DHCP Snooping globally
Switch(config)# ip dhcp snooping
# Enable DHCP Snooping on a specific VLAN
Switch(config)# ip dhcp snooping vlan [vlan-id]
# Mark a port as trusted (where the DHCP server is connected)
Switch(config-if)# ip dhcp snooping trust
# Set a rate limit for DHCP traffic on an untrusted port
Switch(config-if)# ip dhcp snooping limit rate [rate]
3.4 Verifying DHCP Snooping
After configuring DHCP Snooping, verify its status and functionality using the following commands:
# Verify DHCP Snooping status
Switch# show ip dhcp snooping
# Verify the trusted port configuration
Switch# show ip dhcp snooping interface [interface-id]
# Check the DHCP Snooping binding table
Switch# show ip dhcp snooping binding
The verification commands will display the active DHCP snooping configuration, including trusted interfaces and the DHCP binding table, which contains valid IP-to-MAC address bindings.
4. Dynamic ARP Inspection (DAI)
Dynamic ARP Inspection (DAI) is a security feature that prevents ARP spoofing attacks in Layer 2 networks. ARP spoofing, also known as ARP poisoning, occurs when an attacker sends fake ARP messages to associate their MAC address with the IP address of a legitimate device, allowing them to intercept or disrupt traffic.
DAI validates ARP packets in the network and ensures that only legitimate ARP requests and responses are relayed. It does this by verifying that each ARP packet matches the known bindings in the DHCP snooping database or a static ARP list.
4.1 Why DAI is Necessary
Without DAI, an attacker can manipulate ARP tables, which can lead to several attacks, such as:
- Man-in-the-Middle (MitM) attacks: The attacker intercepts traffic between two legitimate devices.
- Denial of Service (DoS) attacks: The attacker disrupts communication by sending incorrect ARP messages, leading to traffic loss.
DAI prevents these attacks by validating ARP traffic and ensuring that devices are communicating with legitimate peers.
4.2 How Dynamic ARP Inspection Works
DAI works by inspecting incoming ARP packets on untrusted ports and validating them against a trusted source. It primarily relies on the DHCP snooping binding table, which contains valid IP-to-MAC bindings. If the ARP packet matches the information in the binding table, it is forwarded; otherwise, it is dropped.
Ports can be classified as:
- Trusted ports: Typically connected to trusted devices, such as servers or DHCP servers. ARP traffic is not inspected on trusted ports.
- Untrusted ports: Connected to client devices or potentially malicious devices. ARP traffic is inspected, and only valid packets are forwarded.
4.3 Configuring Dynamic ARP Inspection
DAI is configured by enabling it globally and on specific VLANs. Trusted and untrusted ports must be defined, and rate limits can be set to prevent DoS attacks.
# Enable DAI globally
Switch(config)# ip arp inspection vlan [vlan-id]
# Configure a trusted port (where ARP traffic is not inspected)
Switch(config-if)# ip arp inspection trust
# Set a rate limit for ARP traffic on untrusted ports
Switch(config-if)# ip arp inspection limit rate [rate]
DAI will now inspect ARP traffic on untrusted ports within the specified VLANs and validate it against the DHCP snooping database or any manually configured ARP lists.
4.4 Verifying Dynamic ARP Inspection
To verify that DAI is functioning correctly, use the following commands:
# Verify DAI status and configuration
Switch# show ip arp inspection
# Check the statistics of inspected ARP packets
Switch# show ip arp inspection statistics
# Verify the trusted and untrusted port configuration
Switch# show ip arp inspection interfaces [interface-id]
The verification commands allow you to check the DAI configuration, packet inspection statistics, and trusted interface status to ensure that DAI is effectively preventing ARP-based attacks.
5. Port Security
Port Security is a Layer 2 security feature used to restrict access to a switch port based on the MAC addresses of the devices connected to it. This helps prevent unauthorized devices from accessing the network, protecting against MAC flooding attacks and ensuring that only trusted devices can connect to specific ports.
5.1 Why Port Security is Necessary
Port security is essential to prevent several types of network attacks and misconfigurations:
- MAC flooding attacks: Attackers can flood a switch with random MAC addresses, forcing it to broadcast traffic to all ports. Port security mitigates this by limiting the number of MAC addresses that can be learned on a port.
- Unauthorized access: Ensures that only predefined or dynamically learned trusted devices can connect to specific ports.
- Network misuse: Prevents users from connecting multiple devices through a single port without authorization.
5.2 How Port Security Works
Port Security allows administrators to control which devices are allowed on a switch port by specifying a maximum number of MAC addresses that can be learned on the port. If an unknown or unauthorized MAC address is detected, the port can be configured to take one of the following actions:
- Protect: Discards traffic from unauthorized MAC addresses but does not disable the port.
- Restrict: Discards traffic from unauthorized MAC addresses and logs the violation but does not disable the port.
- Shutdown: The port is disabled entirely if an unauthorized MAC address is detected.
Additionally, MAC addresses can be learned dynamically or configured statically. Dynamic learning allows the port to automatically remember the first few devices connected, while static learning requires manual configuration of the allowed MAC addresses.
5.3 Configuring Port Security
To configure Port Security, the administrator defines the maximum number of allowed MAC addresses, sets the violation mode, and optionally configures specific MAC addresses to be allowed on the port.
# Enable port security on an interface
Switch(config-if)# switchport port-security
# Set the maximum number of MAC addresses allowed on the port
Switch(config-if)# switchport port-security maximum [number]
# Define the violation mode (protect, restrict, or shutdown)
Switch(config-if)# switchport port-security violation [protect | restrict | shutdown]
# Optionally, configure a static MAC address
Switch(config-if)# switchport port-security mac-address [mac-address]
# Set the port to dynamically learn MAC addresses
Switch(config-if)# switchport port-security mac-address sticky
5.4 Verifying Port Security
After configuring port security, use the following commands to verify its status and monitor for any violations:
# Verify port security status
Switch# show port-security
# Check port security details for a specific interface
Switch# show port-security interface [interface-id]
# Check for any security violations
Switch# show port-security address
The verification commands help administrators confirm that port security is working correctly and monitor for unauthorized access attempts or violations.