14.2. Securing Layer 2

You can implement some techniques and features to mitigate the dangers of DHCP, MAC, and ARP spoofing. The following features can be configured to guard against these threats:

  • DHCP snooping

  • Port Security

  • Dynamic ARP inspection (DAI)

Dangers from an attacker who hops VLANs and creates security vulnerabilities can be controlled through proper configuration of ports and trunks. The features that can be configured to aid in protecting against these threats include:

  • Private VLANs (PVLANs)

  • VLAN access control lists (VACLs)

14.2.1. Port Security

Port Security is a super useful and powerful feature supported on Cisco switches that restricts a switch port to a specific set or number of MAC addresses. By specifying the number of MAC ...

Get Cisco® Network Professional's: Advanced Internetworking Guide now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.