SkarpChapter 21 of 27
Layer 2 Security: Port Security, DHCP Snooping, and Wireless Protections
Lock down the access layer by controlling which devices can connect, protecting against rogue DHCP servers, and securing wireless associations.
Layer 2 Security: Why the Access Layer Is a Prime Target
Why Layer 2 Security Matters
The access layer is where end devices plug in or join Wi‑Fi. It is often the weakest point and a prime target for attackers who can physically reach a jack or wireless signal.
Layer 2 Attack Surface
At Layer 2, attackers can plug in rogue devices, spoof MAC addresses, poison ARP tables, or run fake DHCP servers to hijack traffic or gain unauthorized access.
Protections You Will Learn
We focus on port security, DHCP snooping, Dynamic ARP Inspection (conceptually), and wireless protections using WPA2-PSK, WPA2-Enterprise, and WPA3.
Goal for This Module
You will learn to describe, configure, and verify key Layer 2 protections, and understand how they fit into overall switch hardening for the CCNA.
Port Security: Concept, Use Cases, and Violation Modes
What Port Security Does
Port security restricts which MAC addresses can send traffic on a switch port. It is mainly used on access ports to control which devices can connect.
Secure MAC Concepts
You can set a maximum number of MAC addresses and define them as static secure MACs or let the switch learn them dynamically as sticky secure MACs.
Violation Modes Overview
Violation modes are protect, restrict, and shutdown. All drop traffic from violating MACs, but they differ in logging and whether the port is disabled.
Exam-Focused Behaviors
`protect` silently drops, `restrict` drops and counts/logs, `shutdown` puts the port into err-disabled. Remember: shutdown is the default and most disruptive.
Configuring and Verifying Port Security on a Cisco Switch
Scenario and Goal
PC on Fa0/10, only one device allowed, MAC learned automatically, and the port should shut down if a second device appears.
Core Port Security Commands
Enable access mode and VLAN, then use `switchport port-security`, set `maximum 1`, `mac-address sticky`, and `violation shutdown` on the interface.
Checking the Configuration
Use `show port-security interface fa0/10` and `show port-security address` to see status, learned MACs, and any violation counters.
Recovering from Violations
If the port is err-disabled, issue `shutdown` then `no shutdown` on the interface, or configure errdisable recovery for psecure-violation.
DHCP Snooping: Protecting Against Rogue DHCP Servers
Why DHCP Snooping?
Rogue DHCP servers can give clients malicious IP settings, such as a fake default gateway, letting attackers intercept or disrupt traffic.
Trusted vs Untrusted Ports
DHCP snooping marks uplinks toward real DHCP servers as trusted and user-facing access ports as untrusted, blocking server replies from untrusted ports.
Binding Table
DHCP snooping builds a binding table with client MAC, IP, VLAN, interface, and lease time, based on legitimate DHCP exchanges.
Key Exam Idea
Know that DHCP snooping stops rogue DHCP servers and creates a trusted IP–MAC–port database used by other security features like DAI.
Configuring DHCP Snooping and Understanding the Binding Table
Enabling DHCP Snooping
Use `ip dhcp snooping` globally and `ip dhcp snooping vlan 10,20` to protect specific VLANs where clients receive DHCP addresses.
Trusting the Right Ports
Mark the uplink toward the real DHCP server as trusted with `ip dhcp snooping trust`. User-facing access ports remain untrusted.
Rate Limiting on Untrusted Ports
On access ports, `ip dhcp snooping limit rate 15` helps stop DHCP starvation or flooding attacks from a compromised host.
Reading the Binding Table
Use `show ip dhcp snooping binding` to see MAC, IP, VLAN, and interface mappings that define which IPs are legitimate on which ports.
Dynamic ARP Inspection (DAI): Concept and Relationship to DHCP Snooping
ARP as an Attack Vector
ARP maps IP to MAC on a LAN. Attackers can forge ARP replies to redirect traffic, known as ARP spoofing or poisoning.
What DAI Does
Dynamic ARP Inspection inspects ARP packets on untrusted ports and drops those that do not match trusted information.
Using DHCP Snooping Bindings
DAI uses the DHCP snooping binding table to verify that the ARP sender IP/MAC pair is legitimate for that VLAN and interface.
Concepts to Remember
DAI is enabled per VLAN, uses trusted vs untrusted ports, and is designed to block ARP spoofing by validating ARP packets.
Wireless Security in Practice: WPA2-PSK, WPA2-Enterprise, WPA3
Wireless Security Choices
On WLANs, your main security decision is the authentication and encryption method: WPA2-PSK, WPA2-Enterprise, or WPA3.
WPA2-PSK (Personal)
All clients share one passphrase. It is easy to deploy but if the key leaks, anyone can join. Common in homes and small offices.
WPA2-Enterprise
Uses 802.1X and a RADIUS server. Each user has unique credentials, making it better for enterprises and user-level revocation.
WPA3 Today
WPA3 improves security, especially against offline attacks. Many networks use WPA2-Enterprise or mixed WPA2/WPA3 modes for compatibility.
Applying Wireless Security Settings: Choosing WPA Modes
Small Office Scenario
Ten employees, no RADIUS server. Choose WPA2-PSK or WPA2/WPA3-Personal with a strong shared passphrase and AES encryption.
Enterprise Scenario
Two hundred employees with central accounts. Choose WPA2-Enterprise or mixed WPA2/WPA3-Enterprise using 802.1X and RADIUS.
GUI Configuration Flow
Create the SSID, pick WPA2/WPA3, then choose Personal (PSK) or Enterprise (802.1X). Enter the PSK or configure the RADIUS server.
Exam Clue: RADIUS Mention
If the scenario mentions a RADIUS server or per-user authentication, WPA2-Enterprise is almost always the correct answer.
Securing Unused Ports and Basic Switch Hardening
Why Harden Switch Ports?
Unused or misconfigured ports are easy entry points. Hardening limits what can happen if someone plugs into a random jack.
Disable and Park Unused Ports
Shut down unused interfaces and place them in a parking VLAN with no default gateway or user devices.
Prevent Unauthorized Trunking
Set user ports to `switchport mode access` and disable DTP with `switchport nonegotiate` to stop attackers creating trunks.
Tie-In to Management Security
Combine port hardening with secure management: SSH only and ACLs limiting who can manage the switch.
Design Challenge: Securing an Office Floor Switch
Imagine you are responsible for a 48-port access switch on an office floor. Ports 1–30 are in use by employees and IP phones (VoIP), ports 31–40 are currently unused, and ports 41–48 are uplinks and connections to other network devices.
Your goals:
- Limit who can use employee ports.
- Protect against rogue DHCP servers.
- Reduce the impact if a wall jack is exposed in a hallway.
Mentally design your configuration and then compare with the hints below.
Questions to think through:
- Which ports should have port security, and what maximum MAC count makes sense?
- Which ports should be trusted for DHCP snooping?
- What should you do with the unused ports (31–40)?
- Would you use WPA2-PSK or WPA2-Enterprise for the office Wi‑Fi if you have an existing RADIUS server?
Suggested answers (peek after thinking):
- Apply port security on access ports 1–30, maybe `maximum 2` (phone + PC), sticky MAC, violation shutdown.
- Mark uplinks (41–48) toward the core/DHCP server as trusted for DHCP snooping; keep 1–40 untrusted.
- Put 31–40 in a parking VLAN and `shutdown` them.
- Use WPA2-Enterprise for Wi‑Fi if RADIUS is available, to get per-user authentication.
Use this exercise to connect individual commands into a coherent security design.
Quiz 1: Port Security and DHCP Snooping
Answer the question, then read the explanation to reinforce your understanding.
On a Cisco switch, you configure port security on an access port with a maximum of 1 MAC address and violation mode 'shutdown'. A second device is plugged into the same port. What is the MOST accurate description of what happens?
- The port drops frames from the second device but remains up, and no logs are generated.
- The port drops frames from the second device, increments a violation counter, but stays up.
- The port transitions to err-disabled state and stops forwarding any traffic until it is manually or automatically recovered.
- The switch automatically learns both MAC addresses and increases the maximum to 2.
Show Answer
Answer: C) The port transitions to err-disabled state and stops forwarding any traffic until it is manually or automatically recovered.
With port security violation mode 'shutdown' (the default), any violation such as exceeding the maximum MAC count causes the port to go into the err-disabled state. It stops forwarding all traffic until you issue 'shutdown' followed by 'no shutdown' (or configure errdisable recovery). 'protect' silently drops, and 'restrict' drops and counts/logs but does not err-disable the port.
Quiz 2: DAI and Wireless Security
Check your understanding of Dynamic ARP Inspection and wireless modes.
A network uses DHCP snooping and Dynamic ARP Inspection (DAI) on VLAN 20. Which statement best describes how DAI decides whether to drop an ARP packet arriving on an untrusted port?
- DAI checks if the ARP sender IP and MAC match an entry in the DHCP snooping binding table for VLAN 20.
- DAI checks only whether the ARP packet comes from a trusted port and ignores its contents.
- DAI compares the ARP packet to an ACL that lists permitted TCP and UDP ports.
- DAI verifies that the ARP sender IP address is in the same subnet as the default gateway.
Show Answer
Answer: A) DAI checks if the ARP sender IP and MAC match an entry in the DHCP snooping binding table for VLAN 20.
Dynamic ARP Inspection uses the DHCP snooping binding table (and optionally static ARP ACLs) to validate ARP packets. On untrusted ports, it compares the ARP sender IP/MAC pair against the binding table for that VLAN. If there is no match or the packet is malformed, DAI drops it. It does not inspect TCP/UDP ports and is not just a subnet check.
Key Term Flashcards: Layer 2 Security and Wireless
Use these flashcards to reinforce core terminology and behaviors.
- Port security (switch feature)
- A Layer 2 switch feature that restricts which MAC addresses are allowed on a port by setting limits, defining secure MAC addresses, and specifying what happens when a violation occurs.
- Port security violation modes
- protect: silently drops violating traffic. restrict: drops violating traffic and increments counters/logs. shutdown: places the port in err-disabled state on violation (default).
- DHCP snooping (purpose)
- A Layer 2 security feature that classifies ports as trusted or untrusted, blocks DHCP server messages on untrusted ports, and builds a DHCP snooping binding table of legitimate IP–MAC–VLAN–port mappings.
- DHCP snooping binding table
- A database created by DHCP snooping that records each client's MAC address, IP address, VLAN, interface, and lease time, used to validate traffic and support features like Dynamic ARP Inspection.
- Dynamic ARP Inspection (DAI)
- A Layer 2 security feature that inspects ARP packets on untrusted ports and drops those that do not match trusted IP–MAC bindings, helping prevent ARP spoofing attacks.
- WPA2-PSK
- A wireless security mode where all clients share a pre-shared key (passphrase) with the access point, commonly used in home and small office networks.
- WPA2-Enterprise
- A wireless security mode that uses 802.1X and a RADIUS server to authenticate each user with unique credentials, common in enterprise environments.
- WPA3 (high-level)
- The newer wireless security standard that strengthens protection against offline attacks and improves encryption and key management compared to WPA2, with Personal and Enterprise variants.
- Securing unused switch ports
- Best practice is to place unused ports in a dedicated parking VLAN with no default gateway and administratively shut them down to prevent unauthorized use.
- Trusted vs untrusted ports (DHCP snooping/DAI)
- Trusted ports are typically uplinks toward infrastructure devices and are allowed to send control traffic like DHCP server replies; untrusted ports are user-facing access ports where such traffic is restricted and inspected.
Key Terms
- WPA3
- The newer wireless security standard that strengthens protection against offline attacks and improves encryption and key management compared to WPA2, with Personal and Enterprise variants.
- WPA2-PSK
- A wireless security mode where all clients share a pre-shared key (passphrase) with the access point, commonly used in home and small office networks.
- Err-disabled
- An error-disabled state on Cisco switches in which a port is shut down by the switch due to a detected fault or security violation, requiring manual or configured automatic recovery.
- Parking VLAN
- A VLAN used to assign unused switch ports, typically with no active hosts or default gateway, to reduce the risk of unauthorized access.
- Trusted port
- In the context of DHCP snooping and DAI, a port on which certain control traffic (such as DHCP server replies) is allowed without restriction, usually facing infrastructure devices rather than end users.
- DHCP snooping
- A Layer 2 security feature that classifies ports as trusted or untrusted, blocks DHCP server messages on untrusted ports, and builds a DHCP snooping binding table of legitimate IP–MAC–VLAN–port mappings.
- Port security
- A Layer 2 switch feature that restricts which MAC addresses are allowed on a port by setting limits, defining secure MAC addresses, and specifying what happens when a violation occurs.
- WPA2-Enterprise
- A wireless security mode that uses 802.1X and a RADIUS server to authenticate each user with unique credentials, common in enterprise environments.
- DHCP snooping binding table
- A database created by DHCP snooping that records each client's MAC address, IP address, VLAN, interface, and lease time, used to validate traffic and support features like Dynamic ARP Inspection.
- Dynamic ARP Inspection (DAI)
- A Layer 2 security feature that inspects ARP packets on untrusted ports and drops those that do not match trusted IP–MAC bindings, helping prevent ARP spoofing attacks.