SkarpSkarp

Chapter 24 of 29

Layer 2 Security: Port Security, DHCP Snooping, and Wireless Security

Lock down the access layer with port security and other Layer 2 protections, then secure your WLANs with modern wireless security standards.

27 min readen

Locking Down the Access Layer: Why Layer 2 Security Matters

From Core to Edge

You previously hardened devices and used ACLs. Now we move to the access layer, where user devices, printers, phones, and APs physically connect, and where many attacks start.

Why Layer 2 Security

Attackers at the edge can plug in laptops, run rogue DHCP, spoof ARP, or add unauthorized Wi‑Fi. These Layer 2 attacks can bypass higher-layer security controls.

Four Protection Themes

We focus on: 1) Port security, 2) DHCP snooping, 3) Dynamic ARP Inspection (conceptual), and 4) Wireless security (WPA2/WPA3, PSK, 802.1X) tied to VLANs and ACLs.

Segmentation Foundations

Remember: A VLAN is a logical subdivision of a Layer 2 network that groups devices into the same broadcast domain regardless of physical location.

ACL Foundations

Also recall: An ACL is an ordered set of permit and deny statements that control which packets are allowed or blocked based on source, destination, and protocol.

Goal for This Module

You will be able to explain why each feature exists, recognize key commands, and avoid configuration mistakes that often appear as CCNA exam traps.

Port Security: Concept and Modes of Violation Handling

What Is Port Security

Port security restricts which MAC addresses can use a switch port. It is usually applied on access ports that connect end devices, not on trunk links between switches.

Why Use It

It prevents rogue laptops replacing phones or PCs, limits how many devices can sit behind a small unmanaged switch, and generates evidence when suspicious activity occurs.

Secure MAC Concepts

Each port has secure MAC addresses and a maximum number allowed. MACs can be configured manually (static) or learned and kept (sticky) by the switch.

Violation Modes

On violation: protect silently drops unknown MAC traffic, restrict drops and counts/logs, and shutdown (default) err-disables the port until recovered.

Sticky MAC and Persistence

Sticky MACs are dynamically learned and placed in the running config. To keep them across reloads, you must save the configuration to startup-config.

Configuring Port Security on an Access Port

Scenario and Goal

Interface Fa0/10 connects a single PC in VLAN 10. We want one MAC allowed, sticky learning, and shutdown on violation to quickly block unauthorized devices.

Key Config Lines

Configure: switchport mode access, switchport access vlan 10, then switchport port-security, set maximum 1, enable mac-address sticky, and set violation shutdown.

Verification

Use show port-security interface and show port-security address to see port status, secure MAC addresses, and violation counters for troubleshooting or audits.

Common Mistakes

Typical errors: not setting access mode first, using port security on trunks, mixing up violation modes, or assuming sticky MACs persist without saving config.

Mental Model

Imagine the port as a door with a guest list. Secure MACs are approved names, and the violation mode defines how strictly the bouncer reacts to unknown guests.

DHCP Snooping: Protecting IP Assignment at Layer 2

Why DHCP Is a Target

DHCP configures clients automatically, including IP, mask, default gateway, and DNS. A rogue DHCP server can mislead clients and hijack or break their connectivity.

What DHCP Snooping Does

DHCP snooping classifies ports as trusted or untrusted, permits server responses only on trusted ports, and builds a DHCP binding table with IP–MAC–VLAN–port data.

Trusted vs Untrusted

Uplinks toward real DHCP servers are trusted. User-facing access ports are untrusted; DHCP replies from untrusted ports are dropped, blocking rogue servers.

Binding Table Role

The DHCP snooping binding table records which MAC has which IP on which port and VLAN, and is later used by features like Dynamic ARP Inspection to validate ARP.

Exam Angle

Know that DHCP snooping is enabled globally and per VLAN, and that it is primarily about blocking rogue DHCP replies on untrusted ports.

Configuring DHCP Snooping and Understanding the Binding Table

Scenario Setup

VLAN 10 is the user VLAN. The DHCP server sits beyond uplink Gi0/1. All other FastEthernet ports connect to users and should be treated as untrusted.

Core Config

Enable ip dhcp snooping globally and for VLAN 10. Mark Gi0/1, the uplink to the real DHCP server, as ip dhcp snooping trust so its replies are permitted.

Rate Limiting

On user ports, you can add ip dhcp snooping limit rate to restrict the number of DHCP packets per second and reduce DoS-style DHCP floods.

Viewing Bindings

Use show ip dhcp snooping and show ip dhcp snooping binding to list which MAC has which IP, on what VLAN and interface, based on legitimate DHCP exchanges.

Pitfalls

Common errors: not trusting the uplink, forgetting to enable snooping on the VLAN, or assuming static-IP hosts will appear in the DHCP binding table.

Dynamic ARP Inspection (DAI): Conceptual Protection Against ARP Spoofing

ARP Spoofing Problem

ARP maps IP to MAC but is unauthenticated. Attackers can send fake ARP replies claiming to be the default gateway, redirecting traffic through themselves.

What DAI Does

Dynamic ARP Inspection inspects ARP packets on untrusted ports and only permits them if they match known valid IP–MAC–port bindings stored by the switch.

Binding Sources

DAI relies mainly on the DHCP snooping binding table, and optionally on static ARP ACLs, to know which IP and MAC combinations are legitimate.

Trusted vs Untrusted

DAI marks ports as trusted or untrusted. On untrusted ports, each ARP packet is validated; mismatches are dropped and can be logged as potential attacks.

CCNA-Level Takeaways

Know that DAI mitigates ARP spoofing, depends on DHCP snooping, and can break traffic if bindings are incomplete, especially for static IP devices.

Wireless Security Basics: WPA2, WPA3, PSK, and 802.1X

Why Wi‑Fi Security Matters

Wireless is the main way users connect. You must authenticate users and encrypt traffic; otherwise anyone in range could join or eavesdrop.

WPA2 Overview

WPA2 uses AES-CCMP and is still widely used. It is strong when configured well, but in PSK mode weak passwords allow offline cracking attacks.

WPA3 Improvements

WPA3 introduces SAE in personal mode, making offline dictionary attacks harder, and improves encryption and key management in enterprise mode.

PSK (Personal) Mode

PSK uses a single shared passphrase for all users. It is simple but hard to manage securely; if one user leaks it, everyone’s traffic is at risk.

802.1X (Enterprise) Mode

802.1X uses a RADIUS server for per-user or per-device authentication. It enables unique credentials and better control, preferred in business networks.

Putting It Together: VLANs, ACLs, and Wireless Segmentation

Segmentation Goal

The aim is least privilege: separate traffic into VLANs and only allow necessary communication between them, limiting how far an attacker can move.

VLAN Role

A VLAN is a logical subdivision of a Layer 2 network that groups devices into the same broadcast domain regardless of physical location.

ACL Enforcement

An ACL is an ordered set of permit and deny statements controlling which packets are allowed or blocked based on source, destination, and protocol.

Example Policies

Guests only reach the internet, phones reach call managers, IoT devices reach only management servers. Each group lives in its own VLAN with tailored ACLs.

SSIDs to VLANs

Wireless SSIDs map to VLANs: e.g., Corp SSID to VLAN 10 with 802.1X, Guest SSID to VLAN 20 with PSK, then ACLs and Layer 2 security enforce boundaries.

Thought Exercise: Designing a Secure Access Layer

Apply what you have learned to a small campus scenario.

Scenario:

You manage a small building with:

  • 1 access switch on each floor.
  • 1 core/distribution switch in the server room.
  • A wireless controller and APs providing two SSIDs: "Corp" and "Guest".
  • A DHCP server on the core switch.

You must protect against:

  • Rogue devices plugged into wall ports.
  • Rogue DHCP servers.
  • ARP spoofing inside user VLANs.
  • Guests reaching internal resources.

Your tasks (think through and, if you like, write down your answers):

  1. VLAN plan
  • Which VLANs would you create for Corp users, Guest Wi‑Fi, and IP phones?
  • How would you map SSIDs to VLANs?
  1. Port security
  • On which ports would you enable port security, and with what maximum MAC count and violation mode?
  • Would you use sticky MACs anywhere? Why or why not?
  1. DHCP snooping and DAI
  • Which ports should be trusted for DHCP snooping?
  • On which VLANs would you enable DHCP snooping and DAI?
  • How would you handle devices with static IPs?
  1. ACLs
  • What ACL rules would you apply to ensure Guest users only access the internet?
  • How would you enforce that Corp users can reach servers, but Guests cannot?

Pause and build a short text or diagram of your design. After you have a draft, compare it against the earlier steps and see if you used each feature effectively.

Quiz 1: Port Security and DHCP Snooping

Answer this question to check your understanding of port security and DHCP snooping.

You configure port security on an access port with `maximum 1`, `mac-address sticky`, and the default violation mode. A user unplugs their PC and connects a rogue laptop. What is the MOST likely outcome after the new device starts sending traffic?

  1. The port silently drops frames from the new MAC address but stays up, and no logs are generated.
  2. The port drops frames from the new MAC address, increments a violation counter, but stays up.
  3. The port transitions to an err-disabled state and stops forwarding traffic until it is manually or automatically recovered.
  4. The switch automatically learns the new MAC address as sticky and replaces the old one without any disruption.
Show Answer

Answer: C) The port transitions to an err-disabled state and stops forwarding traffic until it is manually or automatically recovered.

With `maximum 1` and sticky MAC, the first device's MAC is learned and secured. The default violation mode is `shutdown`, so when a second (unknown) MAC appears, a security violation occurs and the port is err-disabled. It will not forward traffic again until it is recovered (for example, with `shutdown` / `no shutdown` or automatic recovery if configured). `protect` and `restrict` would keep the port up, but those modes are not the default.

Quiz 2: ARP Inspection, Wireless Security, and Segmentation

Test your understanding of DAI, wireless security models, and VLAN-based segmentation.

Which combination BEST describes a secure and scalable design for a corporate Wi‑Fi network, aligned with modern best practice and CCNA concepts?

  1. Single SSID using WPA2-PSK for all users, no VLANs, rely only on strong passwords.
  2. Separate 'Corp' and 'Guest' SSIDs mapped to different VLANs; 'Corp' uses WPA2/WPA3-Enterprise (802.1X) and 'Guest' uses WPA2/WPA3-PSK; apply ACLs at the gateway to restrict Guest access; enable DHCP snooping and DAI on access switches.
  3. Use open (unencrypted) Wi‑Fi with a captive portal for all users, then rely on host firewalls for protection.
  4. Use WEP for legacy compatibility, place all users in one VLAN, and rely on port security to prevent wireless attacks.
Show Answer

Answer: B) Separate 'Corp' and 'Guest' SSIDs mapped to different VLANs; 'Corp' uses WPA2/WPA3-Enterprise (802.1X) and 'Guest' uses WPA2/WPA3-PSK; apply ACLs at the gateway to restrict Guest access; enable DHCP snooping and DAI on access switches.

Option 2 combines multiple best practices: separate SSIDs mapped to separate VLANs, 802.1X (Enterprise) for corporate users, PSK for guests, ACLs to restrict Guest access, and DHCP snooping/DAI at the access layer. The other options either lack encryption, rely on outdated WEP, or fail to segment and control traffic properly.

Key Term Flashcards: Layer 2 and Wireless Security

Use these flashcards to reinforce the most important terms from this module.

Port security
A switch feature that limits and identifies the MAC addresses allowed on a port, helping prevent unauthorized devices from connecting or multiple devices sharing a single access port.
Secure MAC address (port security)
A MAC address that the switch has been configured or learned (via sticky) to allow on a specific port; traffic from other MAC addresses may trigger a security violation.
Port security violation modes
protect: silently drop unknown MACs; restrict: drop and log/count violations; shutdown: default, err-disables the port on violation.
DHCP snooping
A Layer 2 security feature that classifies ports as trusted or untrusted, blocks DHCP replies from untrusted ports, and builds a binding table of IP–MAC–VLAN–port information.
DHCP snooping binding table
A database on the switch that records which MAC address received which IP address on which VLAN and interface, based on legitimate DHCP exchanges.
Dynamic ARP Inspection (DAI)
A Layer 2 feature that validates ARP packets on untrusted ports against trusted IP–MAC bindings (usually from DHCP snooping) to prevent ARP spoofing attacks.
WPA2 vs WPA3
WPA2 uses AES-CCMP and is widely deployed; WPA3 improves security (for example, using SAE in personal mode) and better protects against offline password attacks.
PSK (Pre-Shared Key) vs 802.1X
PSK uses a single shared passphrase for all users; 802.1X (Enterprise) uses a RADIUS server for per-user or per-device authentication and is preferred in business networks.
VLAN (exam definition)
A Virtual Local Area Network (VLAN) is a logical subdivision of a Layer 2 network that groups devices into the same broadcast domain regardless of their physical location.
ACL (exam definition)
An Access Control List (ACL) is an ordered set of permit and deny statements that control which packets are allowed or blocked based on criteria such as source, destination, and protocol.
Guest Wi‑Fi segmentation
Design practice where guest clients are placed in a dedicated VLAN, mapped from a Guest SSID, and constrained by ACLs so they can reach only the internet, not internal resources.

Key Terms

ACL
An Access Control List (ACL) is an ordered set of permit and deny statements that control which packets are allowed or blocked based on criteria such as source, destination, and protocol.
VLAN
A Virtual Local Area Network (VLAN) is a logical subdivision of a Layer 2 network that groups devices into the same broadcast domain regardless of their physical location.
WPA2
A Wi‑Fi security standard that uses AES-CCMP for encryption and supports both PSK (Personal) and 802.1X (Enterprise) authentication models.
WPA3
The successor to WPA2 with improved security, including SAE in personal mode and stronger protections against offline password guessing.
802.1X
An IEEE standard for port-based network access control, commonly used with RADIUS to authenticate users and devices on wired and wireless networks.
DHCP snooping
A Layer 2 feature that blocks DHCP responses from untrusted ports and builds a binding table of legitimate IP–MAC–VLAN–port associations.
Port security
A Layer 2 security feature on switches that limits and identifies MAC addresses allowed on a port to prevent unauthorized access.
Secure MAC address
A MAC address that is permitted on a port by port security, either configured statically or learned dynamically via sticky MAC.
PSK (Pre-Shared Key)
A shared passphrase used by all devices on a Wi‑Fi network in Personal mode for authentication and encryption.
DHCP snooping binding table
The database a switch maintains to record which MAC address has which IP address on which VLAN and interface, based on valid DHCP exchanges.
Dynamic ARP Inspection (DAI)
A security feature that validates ARP packets on untrusted ports against trusted bindings to prevent ARP spoofing.

Finished reading?

Test your understanding with a custom practice exam on this chapter.

Test yourself