Layer 2 Security Threats

Security is only as strong as the weakest link in the system, and Layer 2 is considered to be that weak link. This is because LANs were traditionally under the administrative control of a single organization. We inherently trusted all persons and devices connected to our LAN.

The first step in mitigating attacks on the Layer 2 infrastructure is to understand the underlying operation of Layer 2 and the threats posed by the Layer 2 infrastructure.


Layer 2 Attacks

Category Examples
MAC Table Attacks Includes MAC address flooding attacks.
VLAN Attacks Includes VLAN hopping and VLAN double-tagging attacks. It also includes attacks between devices on a common VLAN.
DHCP Attacks Includes DHCP starvation and DHCP spoofing attacks.
ARP Attacks Includes ARP spoofing and ARP poisoning attacks.
Address Spoofing Attacks Includes MAC address and IP address spoofing attacks.
STP Attacks Includes Spanning Tree Protocol manipulation attacks.


Layer 2 Attack Mitigation

Solution Description
Port Security Prevents many types of attacks including MAC address flooding attacks and DHCP starvation attacks.
DHCP Snooping Prevents DHCP starvation and DHCP spoofing attacks.
Dynamic ARP Inspection (DAI) Prevents ARP spoofing and ARP poisoning attacks.
IP Source Guard (IPSG) Prevents MAC and IP address spoofing attacks.


These Layer 2 solutions will not be effective if the management protocols are not secured. For example, the management protocols Syslog, Simple Network Management Protocol (SNMP), Trivial File Transfer Protocol (TFTP), telnet, File Transfer Protocol (FTP) and most other common protocols are insecure; therefore, the following strategies are recommended:

1. Always use secure variants of these protocols such as SSH, Secure Copy Protocol (SCP), Secure FTP (SFTP), and Secure Socket Layer/Transport Layer Security (SSL/TLS).

2. Consider using out-of-band management network to manage devices.

3. Use a dedicated management VLAN where nothing but management traffic resides.

4. Use ACLs to filter unwanted access.