14.2. Securing Layer 2

You can implement some techniques and features to mitigate the dangers of DHCP, MAC, and ARP spoofing. The following features can be configured to guard against these threats:

  • DHCP snooping

  • Port Security

  • Dynamic ARP inspection (DAI)

Dangers from an attacker who hops VLANs and creates security vulnerabilities can be controlled through proper configuration of ports and trunks. The features that can be configured to aid in protecting against these threats include:

  • Private VLANs (PVLANs)

  • VLAN access control lists (VACLs)

14.2.1. Port Security

Port Security is a super useful and powerful feature supported on Cisco switches that restricts a switch port to a specific set or number of MAC addresses. By specifying the number of MAC ...

Get Cisco® Network Professional's: Advanced Internetworking Guide now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.