Why We need Layer 2 security?
OSI layer was build to allow different layers to work without knowledge of each other.
Layer 2 can be very weak link in the network.
If any one of the layer hacked, communications are compromised.
VLAN hopping attacks
Spanning Tree Attacks
DHCP Starvation Attack
What is MAC and CAM ?
MAC is 48 Bit L2 address
First 24 bits is manufacture code
Assigned by IEEE
Second 24 bits is specific interface,
Assigned by Manufacture
Content Addressable memory (CAM) table stores information such as MAC
addressed available on physical ports with their associated VLAN parameters.
CAM Overflow attack
Example output of macof tool
Duration of this attack
• 63 bits of source (MAC, VLAN, misc) creates 17 Bits of hash value and it
will get stored in the CAM table.
• In a Cisco Catalyst 5650, we can store appox. 131,000 CAM entries
• Dsniff macof tool can create 1,55,000 MAC entries in a minute.
How to overcome this attack?
We can overcome this attack by enabling switch port security such as
1. Static Secure MAC Addresses
2. Dynamic Secure MAC addresses
3. Sticky secure MAC addresses.
Cisco# conf t
Cisco(config)# interface fastethernet0/1
Cisco(config-if)# switchport mode access
Cisco(config-if)# switchport port-security
Cisco(config-if)# switchport port-security maximum 5
Cisco(config-if)# switchport port-security violation restrict
Cisco(config-if)# switchport port-security mac-address aaaa.aaaa.aaaa
Cisco(config-if)# switchport port-security mac-address bbbb.bbbb.bbbb
1. A secure port can’t be a SPAN port
2. A secure port cannot be an 802.1X port.
3. A secure port cannot belong to an EtherChannel port-channel interface.
What is mean by Trunk Port?
• Trunk port have access to all the VLANs by default.
• It used to route traffic of multiple VLANs across the same physical link.
• Encapsulation can be 802.1Q or ISL (Cisco preparatory)
Rogue Trunk / Switch Spoof attack
1. A computer can spoof as a switch with 802.1Q or ISL signaling.
2. DTP signaling is required.
3. Requires trunking favorable setting on the switch port.
Double encapsulated VLAN attack
1. Attacker sends double tagged 802.1Q frames
2. Switch can perform only one level of decapsulation, so the frame will be
forwarded as per the second tag.
3. VLAN hopping occurs
Security practices to avoid the attacks
Always use dedicated VLAN ID for all trunk ports
Disable Unused ports and put them on unused VLANs
Don’t use VLAN1 for anything
Set DTP off
An ARP request message
should be placed in a frame
and broadcast to all
computers on the network
Each computer receives the
request and examines the
The computer mentioned in
the request sends a
response; all other
computers process and
discard the request without
sending a response
Gratuitous ARP is used by hosts to announce their IP address to the local
network and avoid duplicate IP addresses on the network; routers and
other network hardware may use cache information gained from
• ARP has no security on IP / MAC addresses
• Host W broadcasts I’m 18.104.22.168 with MAC 12:34:56:78:9A:BC in regular interval
• When the host x requests the MAC of gateway, it will be overwritten by the
gratuitous ARP packet
Even a static ARP entry for 22.214.171.124 on Y will get overwritten by the
Gratuitous ARP on some Oss.
Sniffed credentials by Cain and Abel
ARP Spoof Mitigation
Some IDS systems will watch for an unusually high amount of ARP traffic
ARPWatch, AntiARP tools are available to avoid ARP spoofing
Static ARP on critical systems
ARP firewall feature is implemented in some Cisco devices.
STP is used to avoid loops and broadcast storms
Messages are sent using Bridge Protocol Data Units (BPDUs). Basic messages
include: configuration, topology change notification/acknowledgment. (TCN/TCA)
Standard 802.1d STP takes 30-45 seconds to
deal with a failure or Root bridge change.
Sending BPDUs from the attacker can force
these changes and create a root bridge
Now attacker can see any frames
MITM, DoS, etc. all possible
STP Attack Mitigation
We can avoid this attack by enabling
BPDU guard in the switch
DHCP Starvation Attack
• This attack performing by broadcasting number of DHCP requests by spoofed
• If enough request flooded onto the network, the attacker can completely
exhaust the address space allocated by the DHCP servers for an indefinite period
DHCP Starvation Attack
• Yersinia is used here for DHCP starvation attack.
Mitigation of DHCP Starvation attack
• Port security should be enabled.
• DHCP snooping to be enabled
Cisco(config)#interface range GigabitEthernet1/0/1 - 48
Cisco(config-if)#description Access Ports
Cisco(config-if)#switchport port-security maximum 4
Cisco(config-if)#switchport port-security aging time 5
Cisco(config-if)#switchport port-security aging type inactivity
Cisco(config-if)#switchport port-security violation shutdown
Cisco(config-if)#description Uplink to DHCP Server
Cisco(config-if)#ip dhcp snooping trust
Cisco(config)#ip dhcp snooping
Cisco(config)#ip dhcp snooping vlan 1-10
Cisco(config)#ip dhcp snooping database tftp://remotehost.company.com/Ciscodhcpsnoop.txt
Cisco(config)#ip dhcp snooping verify mac-address