PracticeStudy GuidesBlogFlashcardsEspañol

5.5 Layer 2 Security Features

Key Takeaways

  • DHCP snooping creates a trusted/untrusted port model to prevent rogue DHCP servers and starvation attacks.
  • Dynamic ARP Inspection (DAI) validates ARP packets against the DHCP snooping binding table to prevent ARP spoofing.
  • Port security limits the number of MAC addresses on a port to prevent MAC flooding attacks.
  • 802.1X provides port-based network access control using EAP and a RADIUS server.
  • All three features (DHCP snooping, DAI, port security) work together for comprehensive Layer 2 security.
Last updated: March 2026

Layer 2 Security Features

Layer 2 attacks are particularly dangerous because they can bypass Layer 3 security controls like ACLs and firewalls. The CCNA tests your understanding of Layer 2 security features and the attacks they mitigate.

DHCP Snooping

DHCP snooping prevents rogue DHCP servers and DHCP starvation attacks by classifying switch ports as trusted or untrusted.

How It Works

Port TypeAllowed DHCP MessagesUse
TrustedAll DHCP messages (including OFFER and ACK)Ports facing the legitimate DHCP server, uplinks
UntrustedOnly DISCOVER and REQUEST (client messages)All access ports facing end devices

If an untrusted port receives a DHCP OFFER or ACK (server messages), the port is violated — preventing a rogue DHCP server from handing out malicious configurations.

DHCP Snooping Binding Table

DHCP snooping builds a binding table that maps:

  • MAC address → IP address → VLAN → Port

This table is used by Dynamic ARP Inspection to validate ARP packets.

Configuration

Switch(config)# ip dhcp snooping                       ! Enable globally
Switch(config)# ip dhcp snooping vlan 10,20,30          ! Enable on specific VLANs

Switch(config)# interface GigabitEthernet0/24            ! Uplink to DHCP server
Switch(config-if)# ip dhcp snooping trust                ! Mark as trusted

! All other ports are untrusted by default

Switch# show ip dhcp snooping binding                    ! View binding table

Dynamic ARP Inspection (DAI)

DAI validates ARP packets against the DHCP snooping binding table to prevent ARP spoofing (ARP poisoning) attacks.

How It Works

  1. ARP packet arrives on an untrusted port
  2. Switch checks the source MAC and source IP against the DHCP snooping binding table
  3. If they match → ARP packet is forwarded
  4. If they don't match → ARP packet is dropped (prevents spoofed ARP)

Configuration

Switch(config)# ip arp inspection vlan 10,20,30         ! Enable DAI on VLANs

Switch(config)# interface GigabitEthernet0/24            ! Uplink
Switch(config-if)# ip arp inspection trust               ! Trust ARP on this port

Switch# show ip arp inspection                           ! View DAI status
Switch# show ip arp inspection statistics                 ! View drop counts

Important: DAI depends on the DHCP snooping binding table. You must enable DHCP snooping first for DAI to function properly.

Port Security

Port security limits the number of MAC addresses that can be learned on a switch port. This mitigates MAC flooding attacks.

Configuration

Switch(config)# interface GigabitEthernet0/1
Switch(config-if)# switchport mode access                 ! Must be access mode
Switch(config-if)# switchport port-security                ! Enable port security
Switch(config-if)# switchport port-security maximum 2     ! Allow max 2 MAC addresses
Switch(config-if)# switchport port-security mac-address sticky  ! Learn MACs automatically
Switch(config-if)# switchport port-security violation shutdown  ! Action on violation

Violation Modes

ModeAction on ViolationSends AlertIncrements Counter
shutdown (default)Puts port in err-disabled stateYes (SNMP/syslog)Yes
restrictDrops violating trafficYesYes
protectDrops violating trafficNoNo

Recovering from err-disabled

Switch(config)# interface GigabitEthernet0/1
Switch(config-if)# shutdown
Switch(config-if)# no shutdown

! Or configure auto-recovery
Switch(config)# errdisable recovery cause psecure-violation
Switch(config)# errdisable recovery interval 300          ! Auto-recover after 300 seconds

Verification

Switch# show port-security                               ! Summary all ports
Switch# show port-security interface GigabitEthernet0/1   ! Specific port
Switch# show port-security address                        ! Learned MAC addresses

Wireless Security Protocols

ProtocolEncryptionAuthenticationSecurity
WEPRC4 (weak)Shared keyBroken — never use
WPATKIPPSK or 802.1XDeprecated
WPA2AES-CCMPPSK or 802.1X/EAPStandard (minimum)
WPA3AES-GCMPSAE or 802.1XStrongest

WPA2 Modes

  • WPA2-Personal (PSK): Pre-Shared Key — a single password for all users (home/small office)
  • WPA2-Enterprise (802.1X): Each user authenticates with unique credentials via RADIUS server (enterprise)

On the Exam: Know that DHCP snooping prevents rogue DHCP servers, DAI prevents ARP spoofing, and port security prevents MAC flooding. These three features form a layered defense at Layer 2. Also know that WPA2 with AES is the minimum acceptable wireless security standard.

Test Your Knowledge

Which Layer 2 security feature prevents rogue DHCP servers from distributing IP addresses?

A
B
C
D
Test Your Knowledge

What is the default port security violation mode on a Cisco switch?

A
B
C
D
Test Your Knowledge

Which wireless security protocol uses AES encryption and is considered the minimum acceptable standard?

A
B
C
D
Up Next

5.6 Network Security Best Practices and Hardening

Continue learning