Chapter 9. Securing Layer 2 Technologies

This chapter covers the following topics:

VLAN and trunking fundamentals

Spanning-tree fundamentals

Common Layer 2 threats and how to mitigate them

We often take for granted Layer 2 in the network because it just works. Address Resolution Protocol (ARP) and Layer 2 forwarding on Ethernet are all proven technologies that work very well. This certification, the CCNA Security, was built with the presumption that candidates would have a CCNA in routing/switching or equivalent knowledge. With this knowledge, your understanding of the details about VLANs, trunking, and inter-VLAN routing is presumed. However, so that you absolutely understand these fundamental concepts, this chapter begins with a review.

The first two sections of this chapter deal with ARP and DHCP. It is important to make sure that the basics are in place so that you can fully understand the discussion about protecting Layer 2 in the last section of this chapter, which covers the really important “stuff.” That section focuses on just a few Layer 2–related security vulnerabilities and explains exactly how to mitigate threats at Layer 2. If you are currently comfortable with VLANs, trunking, and routing between VLANs, you might want to jump right to the last section.