Talking about Layer 2 Network Security

We would be discussing the ways for clearing. I would suggest you focus on the below-mentioned resources and also check out the Microsoft 77 420 Dumps offered at the ITCertDumps, they are the best when it comes to Certifications Vendor.

Network security is a problem that every network engineer and IT from industry must face. Every day, we are actually the risk of being attacked by the cyber, so how to do protective is concerned about the problems we have to pay in every moment, and we must update our technical means in real time to deal with all kinds of non-this network attack. .

Today we will talk, and those attacks will appear in our most common intranet. So in the intranet, it may not involve a lot of three-layer attacks. Because of the 3-storey attack, we will handle the border zone, which has a lot of means, such as VPN, next-generation firewall NGFW, and some cloud-based proxy filtration, etc.

then let’s take a look at it, and for the two-layer network is the attack on the access layer exchange. Please see the picture below:

Let’s take a few solutions given by Cisco.

Let’s take a look at these prevention means:

port security:

About the port security of the Layer 2 switch, We can prevent port risks in two ways:

1. Protecting security unused ports

We can set the port of the unconnected terminal to turn off, to prevent some This method is simple and effective without authorized terminal equipment.

in interface mode:

s1 (config) # interface type module / number

s1 (config- IF) # Shutdown

2. Start port security

Port security limit port allowed to be the number of effective MAC addresses, which can effectively prevent MAC address table Spilled attack.

in interface mode:

s1 (config) # interface f0 / 1

s1 (config-if) # < B> Switchport Mode Access

s1 (config-if) # switchport port-security

s1 (config-if) # END

Note: Port must set up the access mode to enable port security, and if you have an activity (Active) port with a command switchport port-security, there are multiple devices connected At this port, then this port will enter the Error-Disabled status.

Enable port secure, you can configure other port security specific information as shown in the example.

switch (config-if) #SWITCHPORT port-security?

aging port-security aging commands

Mac-Address Secure Mac Address

< P> Maximum Max Secure Addresses

Violation Security Viological Mode

These are port security options that can be configured under interfaces, which can be selected according to the actual situation of the network.

VLAN Jump Attack

We can mitigate the VLAN jump attack by the following steps, use the following steps to ease the VLAN jump attack:

< P> Step 1: Use the Switchport Mode Access Interface Configuration Command Disable the DTP (Auto Double) negotiation on the non-relay port.

Step 2: Disables unused ports and placed it in an unused VLAN.

Step 3: Use the switchport mode trunk command to manually enable relay links on the relay port.

Step 4: Use the switchport nonegotiate command to disable the DTP (Auto Double) negotiation on the relay port.

Step 5: Use the switchport trunk native vlan_number command to set the intrinsic VLAN to other VLANs other than VLAN 1.


Port FasteThernet 0/1 to FA0 / 16 is an active access port.

Port FasteThernet 0/17 to 0/20 is currently not used.

Port FasteThernet 0/21 to 0/24 is a relay port.

administrator can use the following configuration to mitigate the VLAN jump attack:

s1 (config) # Interface Range FA0 / 1 – 16

S1 (config-if -Range) # Switchport Mode Access

s1 (config-if-range) # EXIT

s1 (config) #

s1 (config) # Interface Range FA0 / 17 – 20

s1 (config-if-range) # Switchport Mode Access

s1 (config-if-range) # switchport access VLAN 1000

S1 (config-if-range) # Shutdown

s1 (config-if-range) # exit

s1 (config) #

s1 (config ) # Interface Range Fa0 / 21 – 24

s1 (config-if-range) # switchport mode trunk

s1 (config-if-range) # switchport nonegotiate

s1 (config-if-range) # Switchport Trunk Native VLAN 999

S1 (config-if-range) # END


FasteThernet 0/1 to 0/16 The port is an access port, so it is clearly disabled to the access port.

FasteThernet 0/17 to 0/20 The port is an unused port, which is disabled and assigned to unused VLANs.

FasteThernet 0/21 to 0/24 The port is a relay link, which has been used as a manual enable relative to disable DTP. The intrinsic VLAN also changed from the default VLAN 1 to unused VLAN 999.

DHCP attack prevention

can open the DHCP snooping function to specify the connection legal DHCP server port for Trust.

You can use the following steps to enable DHCP listening:

step 1. Enable DHCP listening through the IP DHCP Snooping global configuration command.

Step 2. Use the interface configuration command IP DHCP Snooping Trust on the trusted port.

Step 3. Untroven ports You can use the interface configuration command IP DHCP Snooping Limit Rate limits their number of DHCP Discovery messages that can be received per second.

Step 4. By the global configuration command IP DHCP SnoopingVlan to enable DHCP listening to a VLAN or a VLAN range.

More specific configuration, you can refer to my previous article. DHCP Security – DHCP Snooping Technology Application </ u>.

ARP attack prevention

Dynamic ARP Detection (DAI) You need to use DHCP listening to prevent ARP attacks.

To alleviate ARP spoof and ARP toxicity, you can perform the guidelines for the following DAI implementation:

+ global enable DHCP monitoring.

+ Enables DHCP listening on the selected VLAN.

+ Enables DAI on the selected VLAN.

+ Configure the trusted port for DHCP listening and ARP detection.

DHCP listening is enabled because DAI needs to use DHCP to listen to the binding table to work properly. Next, DHCP monitoring and ARP detection are enabled for PC on VLAN 10. The uplink port connected to the router is trusted, so it is also configured as trusted ports in DHCP listening and ARP detection.

s1 (config) # ip DHCP Snooping

s1 (config) # ip DHCP Snooping VLAN 10

s1 (config) # ip ARP INSPECTION VLAN 10 < / p>

s1 (config) # Interface FA0 / 24

s1 (config-if) # ip DHCP Snooping Trust

s1 (config-if) # ip ARP INSPECTION Trust

Prevent STP Attack

We can use Portfast and BPDU protection to prevent STP attacks.

+ portfast – The interface that is configured to access port or relay ports directly from the blocking state into forward state, bypassing the listening and learning status. Suitable for all end user ports. Portfast should only be configured on ports that connect the terminal device.

+ BPDU Protection (BPDU Guard) – BPDU Protection will immediately enable the port receiving the BPDU into the ErrorDisable status. BPDU protection should also be configured on ports that connect the terminal device, which is the same as the portfast characteristics.

You can use the interface configuration command spanning-tree portfast to enable portfast on the interface. Alternatively, portfast can also be configured on all access ports in all access ports through the global configuration command spanning-tree portfast default.

s1 (config) # Interface FA0 / 1

s1 (config-if) # Switchport Mode Access

s1 (config-if) # spanning-tree Portfast

If you receive the BPDU on the port that enables BPDU protection, the port will enter the error disabled state. This means that this port has been turned off, you must manually re-enable, or automatically restore it through the global command Erdisable Recovery Cause Psecure_violation.

s1 (config) # Interface FA0 / 1

s1 (config-if) # spanning-tree bpduguard enable

s1 (config-if) # EXIT

s1 (config) # spanning-tree portfast BPDuguard Default

s1 (config) # END

above is a few ways to prevent Layer 2 attacks Everyone can apply them in the access layer switch in the network. Especially in the middle and large networks, there are many accessible equipment. If management is irregular, there will be many attacks from the second floor. So if you manage the switches have these prevention functions, then now open them.

Clearing the Certification isn’t considered to be that much easy, you have to go through rigorous training and lots of Palo alto PCCSA Dumps would be needed to go through unless you have some expertise training courses like such offered at the ITCertDumps.

Leave a Reply

Your email address will not be published.