5.5 Layer 2 Security Features
Key Takeaways
- DHCP snooping classifies ports as trusted/untrusted so only legitimate servers can send OFFER/ACK, stopping rogue servers and starvation.
- Dynamic ARP Inspection (DAI) validates ARP packets against the DHCP snooping binding table and depends on DHCP snooping being enabled first.
- Port security limits MAC addresses per access port to stop MAC flooding; default violation mode is 'shutdown' (err-disabled).
- 802.1X uses the supplicant/authenticator/authentication-server model with EAP and a RADIUS back end for port-based access control.
- WPA2 with AES (CCMP) is the minimum acceptable Wi-Fi standard; WPA3 with SAE is strongest; WEP is broken.
Why Layer 2 Matters
Layer 2 attacks are dangerous because they sit below the Layer 3 controls (ACLs, firewalls) most people think of as "security." A switch with no Layer 2 hardening can be subverted from a single access port. The CCNA pairs each attack with its specific countermeasure, so learn them as matched sets.
| Attack | Mitigation |
|---|---|
| MAC flooding (CAM-table overflow) | Port security |
| ARP spoofing / poisoning (MITM) | Dynamic ARP Inspection |
| Rogue DHCP server / DHCP starvation | DHCP snooping |
| Rogue switch injecting BPDUs | BPDU Guard |
| Unauthorized device on a port | 802.1X |
DHCP Snooping
DHCP snooping divides switch ports into trusted and untrusted.
| Port type | DHCP messages allowed | Where used |
|---|---|---|
| Trusted | All, including server OFFER and ACK | Uplinks toward the real DHCP server |
| Untrusted (default) | Only client DISCOVER/REQUEST | Access ports facing end users |
If an untrusted port receives a server message (OFFER/ACK), the switch drops it — a rogue DHCP server cannot hand clients a poisoned default gateway. Snooping also builds a binding table mapping MAC → IP → VLAN → port, which DAI then reuses.
Switch(config)# ip dhcp snooping
Switch(config)# ip dhcp snooping vlan 10,20,30
Switch(config)# interface Gig0/24 ! Uplink to DHCP server
Switch(config-if)# ip dhcp snooping trust
Switch# show ip dhcp snooping binding
Dynamic ARP Inspection (DAI)
DAI stops ARP spoofing by checking each ARP packet on an untrusted port against the DHCP snooping binding table. If the source MAC/IP pair matches a binding, the ARP is forwarded; if not, it is dropped. DAI requires DHCP snooping — without the binding table it has nothing to validate against. This dependency is a frequent exam trap.
Switch(config)# ip arp inspection vlan 10,20,30
Switch(config)# interface Gig0/24
Switch(config-if)# ip arp inspection trust
Switch# show ip arp inspection statistics
Port Security
Port security limits how many MAC addresses a port may learn, defeating MAC flooding that would otherwise turn the switch into a hub.
Switch(config)# interface Gig0/1
Switch(config-if)# switchport mode access ! Required — must be access
Switch(config-if)# switchport port-security
Switch(config-if)# switchport port-security maximum 2
Switch(config-if)# switchport port-security mac-address sticky
Switch(config-if)# switchport port-security violation shutdown
sticky learns MACs dynamically and writes them into the running config. A port stuck on a trunk or DTP-negotiated port will not accept port security — it must be a static access port.
Violation Modes
| Mode | Action | Logs/SNMP | Counter |
|---|---|---|---|
| shutdown (default) | Err-disables the port | Yes | Yes |
| restrict | Drops offending frames, port stays up | Yes | Yes |
| protect | Drops offending frames silently | No | No |
Recovering an Err-Disabled Port
Switch(config)# interface Gig0/1
Switch(config-if)# shutdown
Switch(config-if)# no shutdown
! Or automate it:
Switch(config)# errdisable recovery cause psecure-violation
Switch(config)# errdisable recovery interval 300
802.1X Port-Based Access Control
802.1X authenticates a device before the port forwards user traffic, using three roles:
- Supplicant — the client software on the end device
- Authenticator — the switch, which relays credentials
- Authentication server — a RADIUS server (e.g., Cisco ISE) that decides yes/no
The client and server exchange EAP (Extensible Authentication Protocol) messages; the switch carries them as EAPOL. Until authentication succeeds, only EAPOL traffic is allowed on the port.
Wireless Security Protocols
| Protocol | Encryption | Authentication | Verdict |
|---|---|---|---|
| WEP | RC4 (broken) | Shared key | Never use |
| WPA | TKIP | PSK or 802.1X | Deprecated |
| WPA2 | AES-CCMP | PSK or 802.1X/EAP | Minimum standard |
| WPA3 | AES-GCMP | SAE or 802.1X | Strongest |
- WPA2/WPA3-Personal (PSK / SAE): one passphrase, suited to homes and small offices.
- WPA2/WPA3-Enterprise (802.1X): unique per-user credentials via RADIUS, used in enterprises. WPA3 replaces the PSK 4-way-handshake weakness with SAE (Simultaneous Authentication of Equals).
Secure MAC Address Types
Port security tracks three kinds of secure MAC entries, and the difference matters for whether your config survives a reboot:
| Type | How learned | Survives reboot? |
|---|---|---|
| Static | Typed manually with switchport port-security mac-address H.H.H | Yes (in config) |
| Dynamic | Learned automatically, kept in the MAC table only | No — relearned after reload |
| Sticky | Learned automatically, then written into the running config | Yes if you copy run start |
The sticky option is popular because it learns the legitimate device once and then pins it, but remember you must save the config or the sticky entries are lost on reboot.
Verifying Port Security
Switch# show port-security
Switch# show port-security interface Gig0/1
Switch# show port-security address
The per-interface output shows the violation mode, the maximum and current MAC count, the last violating MAC, and the violation counter — your first stop when a port lands in err-disabled.
BPDU Guard and DTP Hardening
Two more access-port protections appear repeatedly. BPDU Guard err-disables any access port that receives a spanning-tree BPDU, which stops someone from plugging an unauthorized switch into a user port and hijacking the spanning-tree topology. It pairs naturally with PortFast on access ports. Separately, leaving Dynamic Trunking Protocol (DTP) enabled lets an attacker negotiate a trunk from a user port and reach every VLAN; switchport mode access plus switchport nonegotiate shuts that door. These, with DHCP snooping, DAI, and port security, form the standard access-layer security baseline.
On the Exam: Memorize the attack-to-mitigation pairs above. Remember DAI depends on DHCP snooping, the default violation mode is shutdown, port security needs an access port, and WPA2-AES is the minimum acceptable Wi-Fi security.
A switch port configured for port security receives a frame from an unauthorized MAC after the maximum is reached. No configuration changed the violation behavior. What happens to the port?
Dynamic ARP Inspection is failing to validate any ARP packets even though it is enabled on the VLAN. What is the most likely cause?
In an 802.1X deployment, which device performs the role of the authentication server?
Which wireless security configuration is the minimum acceptable standard for a modern enterprise?