This chapter covers the following subjects:
- Layer 2 Attacks
- Mitigation of Layer 2 Attacks
Unlike hubs, switches cannot regulate the flow of data between their ports by creating almost "instant" networks that contain only the two end devices communicating with each other. Data frames are sent by end systems, and their source and destination addresses are not changed throughout the switched domain. Switches maintain content-addressable memory (CAM) lookup tables to track the source addresses located on the switch ports. These lookup tables are populated by an address-learning process on the switch. If the destination address of a frame is not known or if the frame received by the switch is destined for a broadcast address, the switch forwards the frame out all ports. With their ability to isolate traffic and create the "instant" networks, switches can be used to divide a physical network into multiple logical or VLANs through the use of Layer 2 traffic segmentation.
VLANs enable network administrators to divide their physical networks into a set of smaller logical networks. Like their physical counterparts, each VLAN consists of a single broadcast domain isolated from other VLANs and work by tagging packets with an identification header and then restricting the ports that the tagged packets can be received on to those that are part of the VLAN. The two most prevalent VLAN tagging techniques are the IEEE 802.1q tag and the Cisco Inter-Switch Link (ISL) tag.
This chapter discusses Layer 2 attacks, mitigations, best practices, and functionality.
"Do I Know This Already?" Quiz
The purpose of the "Do I Know This Already?" quiz is to help you decide whether you really need to read the entire chapter. If you already intend to read the entire chapter, you do not necessarily need to answer these questions now.
The 11-question quiz, derived from the major sections in "Foundation Topics" section of the chapter, helps you determine how to spend your limited study time.
Table 14-1 outlines the major topics discussed in this chapter and the "Do I Know This Already?" quiz questions that correspond to those topics.
Table 14-1. "Do I Know This Already?" Foundation Topics Section-to-Question Mapping
Foundation Topics Section
Questions Covered in This Section
Types of Attacks
Factors Affecting Layer 2 Mitigation Techniques
- What is the default inactivity expire time period on a Cisco Catalyst switch CAM table?
- 1 minute
- 5 minutes
- 10 minutes
- 50 minutes
- What are three methods of implementing port security?
- Active secure MAC addresses, fixed secure MAC address, and closed secure MAC address
- Static secure MAC address, dynamic secure MAC addresses, and sticky secure MAC addresses
- Default secure MAC address, evasive secure MAC address, and evading secure MAC address
- Stinky secure MAC addresses, dynamite secure MAC, and clammy secure MAC addresses
- Which command enables port security on an interface?
- switchport mode port-security
- switchport mode interface-security
- switchport interface-security
- switchport port-security
- What is the default action mode for security violations?
- The DTP state on a trunk port may be set to what?
- Auto, on, off, undesirable, or non-negotiate
- Auto, on, off, desirable, or non-negotiate
- Auto, on, off, desirable, or negotiate
- Auto, on, off, undesirable, or negotiate
- What are the two different types of VLAN hopping attacks?
- Switch spoofing and double tagging
- Switch goofing and double teaming
- Switch impersonation and double grouping
- Switch imitation and double alliance
- Which features of Cisco IOS Software enable you to mitigate STP manipulation? (Select two.)
- spanning-tree portfast bpduguard
- spanning-tree guard rootguard
- set spantree global-default loopguard enable
- set udld enable
- What are the three types of private VLAN ports?
- Neighborhood, remote, and loose
- Community, isolated, and promiscuous
- Communal, remote, and licentious
- Area, secluded, and wanton
- What common tool is used to launch MAC overflow attacks?
- Protect mode security is recommended for trunk ports.
- What are the three factors when designing a Layer 2 protected network?
- Number of users groups
- Number of DNS zones
- Number of switches
- Number of buildings
- Number of security zones
The answers to the "Do I Know This Already?" quiz are found in the appendix. The suggested choices for your next step are as follows:
- 9 or less overall score— Read the entire chapter. This includes the "Foundation Topics" and "Foundation Summary" sections and the "Q&A" section.
- 10 or 11 overall score— If you want more review on these topics, skip to the "Foundation Summary" section and then go to the "Q&A" section. Otherwise, move on to Chapter 15, "Context-Based Access Control."