Layer 2 Security Features - CSU359 - Shoolini University

Layer 2 Security Features

1. Layer 2

Layer 2, also known as the Data Link Layer in the OSI (Open Systems Interconnection) model, is responsible for node-to-node communication over a physical network. It handles the physical addressing, access control, and error detection to ensure reliable data transfer across a local network segment (such as a LAN).

The main functions of Layer 2 include framing, addressing, error detection, and flow control. It ensures data is correctly formatted for transmission over the physical medium and regulates access to the shared medium to avoid collisions and data loss.

1.1 Key Responsibilities of Layer 2

The core responsibilities of Layer 2 can be categorized into the following functions:

1.1.1 Framing

Data from the upper layers (Layer 3 and above) is encapsulated into frames. A frame is a structured unit of data that includes the original data, along with Layer 2 headers and trailers that contain essential information like source and destination MAC addresses, error-checking mechanisms, etc.

1.1.2 Physical Addressing

Layer 2 uses MAC (Media Access Control) addresses to identify devices on the same local network. Each network device is assigned a unique MAC address, which Layer 2 uses to route frames to the correct destination within the local network.

1.1.3 Error Detection

Layer 2 employs error-detection techniques, such as Frame Check Sequence (FCS), to ensure the integrity of the data being transmitted. FCS detects errors in transmitted frames but does not correct them; corrupted frames are discarded.

1.1.4 Flow Control

Flow control mechanisms, such as pause frames in Ethernet, ensure that the sender does not overwhelm the receiver with more data than it can process, preventing data loss due to congestion.

1.1.5 Media Access Control (MAC)

MAC is a sublayer of Layer 2 that regulates how devices on the network gain access to the shared physical medium. It helps avoid collisions by managing how multiple devices transmit data over the same medium. Common access control methods include CSMA/CD (Carrier Sense Multiple Access with Collision Detection) used in Ethernet.

1.2 Sublayers of Layer 2

Layer 2 is divided into two sublayers that have distinct roles in managing data transmission:

1.2.1 Logical Link Control (LLC) Sublayer

The LLC sublayer is responsible for establishing and maintaining logical links between devices. It provides error detection and flow control services and interacts with the upper layers of the OSI model, particularly Layer 3 (Network Layer).

1.2.2 Media Access Control (MAC) Sublayer

The MAC sublayer manages access to the physical transmission medium. It determines how devices access the network and transmit data without collisions. It is directly responsible for addressing (using MAC addresses) and framing.

1.3 Layer 2 Devices

Layer 2 devices operate primarily at the Data Link Layer, managing the transfer of frames between devices. These devices include:

1.4 Layer 2 Protocols

Several protocols operate at Layer 2, facilitating node-to-node communication and network management:

1.5 Layer 2 Addressing: MAC Addresses

MAC addresses are 48-bit unique identifiers assigned to network interfaces. They consist of two parts:

MAC addresses are used to ensure that frames are delivered to the correct device on the local network.

1.6 Layer 2 Security

Layer 2 introduces several vulnerabilities, such as MAC flooding, ARP spoofing, and VLAN hopping. To mitigate these risks, the following security features are implemented:

2. Layer 2 Security Features

Layer 2 security is essential to protect against various threats that exploit vulnerabilities in the Data Link Layer. While we have already discussed features like DHCP Snooping, Dynamic ARP Inspection (DAI), and Port Security, there are additional Layer 2 security features that play a vital role in securing the network.

2.1 Private VLANs (PVLANs)

Private VLANs (PVLANs) are an extension of traditional VLANs, designed to provide isolation between devices at Layer 2 within the same VLAN. PVLANs are useful in environments where devices need to communicate with a common resource (like a router) but must remain isolated from one another for security reasons, such as in hosting environments.

2.1.1 Types of Private VLANs

# Configure a Private VLAN
Switch(config)# vlan [primary-vlan-id]
Switch(config-vlan)# private-vlan primary

Switch(config)# vlan [isolated-vlan-id]
Switch(config-vlan)# private-vlan isolated

Switch(config)# vlan [community-vlan-id]
Switch(config-vlan)# private-vlan community

# Associate isolated or community VLAN with the primary VLAN
Switch(config-vlan)# private-vlan association [isolated-vlan-id, community-vlan-id]

2.2 Storm Control

Storm Control protects against broadcast, multicast, or unknown unicast traffic storms that can overwhelm network resources. Traffic storms can occur when an excessive amount of broadcast or multicast traffic is generated, often due to misconfigurations or attacks, leading to network congestion.

Storm Control limits the rate at which broadcast, multicast, or unknown unicast packets are allowed on the network, ensuring that the traffic does not exceed a predefined threshold.


# Configure Storm Control
Switch(config-if)# storm-control broadcast level [level]
Switch(config-if)# storm-control multicast level [level]
Switch(config-if)# storm-control unicast level [level]

2.3 BPDU Guard

BPDU Guard is a Layer 2 security feature that protects against Spanning Tree Protocol (STP) attacks. STP is responsible for preventing Layer 2 loops, but an attacker could potentially inject Bridge Protocol Data Units (BPDUs) to manipulate the spanning-tree topology.

BPDU Guard is applied to ports that should never receive BPDUs, typically access ports. If a BPDU is received on a port with BPDU Guard enabled, the port is immediately placed into an error-disabled (shut down) state, protecting the network from STP manipulation.


# Enable BPDU Guard globally
Switch(config)# spanning-tree portfast bpduguard default

# Enable BPDU Guard on an interface
Switch(config-if)# spanning-tree bpduguard enable

2.4 Root Guard

Root Guard prevents unauthorized switches from becoming the root bridge in a spanning tree topology. In STP, the root bridge is a key switch that controls the topology of the network. If a rogue device sends superior BPDUs (claiming it should be the root), it could disrupt the network’s topology.

Root Guard is applied to switch ports that should never become root bridge candidates. If a superior BPDU is received on a Root Guard-enabled port, the port is placed into a “root-inconsistent” state, effectively preventing it from influencing the root election process.


# Enable Root Guard on an interface
Switch(config-if)# spanning-tree guard root

2.5 IP Source Guard

IP Source Guard is a Layer 2 security feature that prevents IP address spoofing by filtering traffic based on IP-to-MAC address bindings. It works in conjunction with DHCP Snooping and the DHCP binding table to validate that packets are coming from legitimate sources.

IP Source Guard can be configured to drop traffic that does not match the known IP-MAC binding, protecting the network from malicious users who attempt to spoof their IP address to gain unauthorized access.


# Enable IP Source Guard on an interface
Switch(config-if)# ip verify source

2.6 VLAN Access Control Lists (VACLs)

VLAN Access Control Lists (VACLs) provide Layer 2 filtering within a VLAN. VACLs allow administrators to define specific policies that filter or permit traffic based on Layer 2 and Layer 3 parameters such as MAC addresses, IP addresses, or protocol types.

Unlike traditional ACLs, which operate at Layer 3, VACLs work at Layer 2 and can be used to restrict traffic flows within a VLAN, ensuring tighter control over what traffic is allowed to pass through specific VLANs.


# Define a VACL
Switch(config)# access-list 100 permit ip any any
Switch(config)# vlan access-map MyVACL 10
Switch(config-access-map)# match ip address 100
Switch(config-access-map)# action forward

# Apply the VACL to a VLAN
Switch(config)# vlan filter MyVACL vlan-list [vlan-id]

3. DHCP Snooping

DHCP Snooping is a security feature in Layer 2 networks that prevents unauthorized or rogue DHCP servers from providing IP addresses to clients. This feature ensures that only DHCP offers from trusted sources are accepted, protecting the network from various attacks such as IP address spoofing and DHCP starvation attacks.

3.1 Why DHCP Snooping is Needed

Without DHCP Snooping, a rogue DHCP server could assign incorrect IP addresses or network configurations to clients, leading to network disruptions or facilitating malicious attacks. DHCP Snooping mitigates these risks by filtering DHCP messages based on the trust level of the ports.

3.2 How DHCP Snooping Works

DHCP Snooping works by classifying switch ports into two categories:

When DHCP Snooping is enabled, the switch inspects DHCP traffic and permits or denies messages based on port trust levels. It also builds a binding table, which maps IP addresses to MAC addresses and VLANs, enabling further protection mechanisms like Dynamic ARP Inspection (DAI).

3.3 Configuring DHCP Snooping

The configuration involves defining trusted and untrusted ports, enabling DHCP snooping on the relevant VLANs, and setting rate limits to prevent DHCP starvation attacks.


# Enable DHCP Snooping globally
Switch(config)# ip dhcp snooping

# Enable DHCP Snooping on a specific VLAN
Switch(config)# ip dhcp snooping vlan [vlan-id]

# Mark a port as trusted (where the DHCP server is connected)
Switch(config-if)# ip dhcp snooping trust

# Set a rate limit for DHCP traffic on an untrusted port
Switch(config-if)# ip dhcp snooping limit rate [rate]

3.4 Verifying DHCP Snooping

After configuring DHCP Snooping, verify its status and functionality using the following commands:


# Verify DHCP Snooping status
Switch# show ip dhcp snooping

# Verify the trusted port configuration
Switch# show ip dhcp snooping interface [interface-id]

# Check the DHCP Snooping binding table
Switch# show ip dhcp snooping binding

The verification commands will display the active DHCP snooping configuration, including trusted interfaces and the DHCP binding table, which contains valid IP-to-MAC address bindings.

4. Dynamic ARP Inspection (DAI)

Dynamic ARP Inspection (DAI) is a security feature that prevents ARP spoofing attacks in Layer 2 networks. ARP spoofing, also known as ARP poisoning, occurs when an attacker sends fake ARP messages to associate their MAC address with the IP address of a legitimate device, allowing them to intercept or disrupt traffic.

DAI validates ARP packets in the network and ensures that only legitimate ARP requests and responses are relayed. It does this by verifying that each ARP packet matches the known bindings in the DHCP snooping database or a static ARP list.

4.1 Why DAI is Necessary

Without DAI, an attacker can manipulate ARP tables, which can lead to several attacks, such as:

DAI prevents these attacks by validating ARP traffic and ensuring that devices are communicating with legitimate peers.

4.2 How Dynamic ARP Inspection Works

DAI works by inspecting incoming ARP packets on untrusted ports and validating them against a trusted source. It primarily relies on the DHCP snooping binding table, which contains valid IP-to-MAC bindings. If the ARP packet matches the information in the binding table, it is forwarded; otherwise, it is dropped.

Ports can be classified as:

4.3 Configuring Dynamic ARP Inspection

DAI is configured by enabling it globally and on specific VLANs. Trusted and untrusted ports must be defined, and rate limits can be set to prevent DoS attacks.


# Enable DAI globally
Switch(config)# ip arp inspection vlan [vlan-id]

# Configure a trusted port (where ARP traffic is not inspected)
Switch(config-if)# ip arp inspection trust

# Set a rate limit for ARP traffic on untrusted ports
Switch(config-if)# ip arp inspection limit rate [rate]

DAI will now inspect ARP traffic on untrusted ports within the specified VLANs and validate it against the DHCP snooping database or any manually configured ARP lists.

4.4 Verifying Dynamic ARP Inspection

To verify that DAI is functioning correctly, use the following commands:


# Verify DAI status and configuration
Switch# show ip arp inspection

# Check the statistics of inspected ARP packets
Switch# show ip arp inspection statistics

# Verify the trusted and untrusted port configuration
Switch# show ip arp inspection interfaces [interface-id]

The verification commands allow you to check the DAI configuration, packet inspection statistics, and trusted interface status to ensure that DAI is effectively preventing ARP-based attacks.

5. Port Security

Port Security is a Layer 2 security feature used to restrict access to a switch port based on the MAC addresses of the devices connected to it. This helps prevent unauthorized devices from accessing the network, protecting against MAC flooding attacks and ensuring that only trusted devices can connect to specific ports.

5.1 Why Port Security is Necessary

Port security is essential to prevent several types of network attacks and misconfigurations:

5.2 How Port Security Works

Port Security allows administrators to control which devices are allowed on a switch port by specifying a maximum number of MAC addresses that can be learned on the port. If an unknown or unauthorized MAC address is detected, the port can be configured to take one of the following actions:

Additionally, MAC addresses can be learned dynamically or configured statically. Dynamic learning allows the port to automatically remember the first few devices connected, while static learning requires manual configuration of the allowed MAC addresses.

5.3 Configuring Port Security

To configure Port Security, the administrator defines the maximum number of allowed MAC addresses, sets the violation mode, and optionally configures specific MAC addresses to be allowed on the port.


# Enable port security on an interface
Switch(config-if)# switchport port-security

# Set the maximum number of MAC addresses allowed on the port
Switch(config-if)# switchport port-security maximum [number]

# Define the violation mode (protect, restrict, or shutdown)
Switch(config-if)# switchport port-security violation [protect | restrict | shutdown]

# Optionally, configure a static MAC address
Switch(config-if)# switchport port-security mac-address [mac-address]

# Set the port to dynamically learn MAC addresses
Switch(config-if)# switchport port-security mac-address sticky

5.4 Verifying Port Security

After configuring port security, use the following commands to verify its status and monitor for any violations:


# Verify port security status
Switch# show port-security

# Check port security details for a specific interface
Switch# show port-security interface [interface-id]

# Check for any security violations
Switch# show port-security address

The verification commands help administrators confirm that port security is working correctly and monitor for unauthorized access attempts or violations.