• Skip to primary navigation
  • Skip to main content
site logo
  • About
    • Approach
    • Partnerships
    • Mission
    • Leadership
    • Awards
    • Arraya Cares
  • Solutions
    • Solutions

    • Hybrid Infrastructure
      • Hyperconverged
      • Infrastructure as a Service
      • Servers, Storage, and Virtualization
      • Data Protection
      • Disaster Recovery & Business Continuity
    • Apps & Data
      • AI
      • Automation
      • Customizations
      • Visualizations & Integrations
      • Migrations
    • Network
      • Enterprise Networks
      • Wireless Connectivity
      • Cloud Networking Solutions
      • IoT
    • Cybersecurity
      • Endpoint Security
      • Network Security
      • Cloud Security
      • Application Security
    • Modern Workplace
      • Microsoft Licensing
      • Productivity & Collaboration
      • Modern Endpoint Deployment & Management
      • Microsoft Compliance & Risk
      • Backup
      • Cloud
  • Services
    • Services

    • Managed Services
      • Service Desk
      • Outsourced IT
      • Managed Security
      • Managed NOC
      • Arraya Adaptive Management for Microsoft Technologies
      • ADEPT: Arraya's White Label Program
    • Advisory Services
      • Assessments
      • Strategy
      • vCTO
      • vCISO
      • Enterprise Architecture
    • Staffing
      • Infrastructure Engineering
      • Security & Compliance
      • Application & Software
    • Professional Services
      • Project Management 
      • Systems Integration 
      • Mergers & Acquisitions
      • Knowledge & Skills Transfer 
  • Industries
    • Education
    • Finance
    • Healthcare
    • Legal
    • Manufacturing
    • Software and Services
  • Insights
    • News
    • Blog
    • Events
    • Videos
    • Case studies
  • Careers
  • CSP Login
search icon
Contact Us

4 Often Overlooked – Yet Effective – Basic Layer 2 Security Features

Effective cybersecurity requires a team of systems to pull together, and just like with any team, this one is only as strong as its weakest link. In many networks, that weakest link is Layer 2 of the Two competitors pulling a ropeOSI model, aka, the data link layer. Since the different layers in OSI work independently of each other, if one layer is compromised, it can affect others without them ever knowing something has gone wrong. Considering that impact, Layer 2 is certainly worthy of some extra attention.

The thing is, many organizations already have features in place to mitigate some of the more common attacks levied at Layer 2. These features come standard in certain Cisco switches, they just need to be turned on. Despite that, we still see organizations falling victim to these attacks.

Why? In some cases, organizations simply may not know about the features. Others may have overestimated the time and effort required to activate them.

Securing Layer 2 against common attack types

In truth, there’s no reason to overlook these features. The risk to businesses is far too great. Let’s take you through four common Layer 2 attacks and outline what a business can do to stay safe.

MAC Attacks

Anatomy of an Attack: During a MAC attack, a switch’s Content Addressable Memory (CAM) table is targeted. These tables store data such as the MAC addresses available on a port and their associated VLAN parameters. CAM tables have a fixed size, meaning they can only house so much information. Attackers attempt to exploit this during a MAC attack by flooding the CAM with random source MAC and IP addresses. Once the CAM table on a switch reaches its limit, traffic floods out to adjacent switches, filling their CAM tables as well and continuing to overload the network.

Countermeasures: Admins can use switch port security limits to restrict the amount of MACs on an interface. This allows them to set a cap on the number of MAC addresses a port can learn. That cap is up to the admin, provided it won’t overflow the CAM table. Timers can be placed on how long a MAC address will be bound to a port. If a port comes across a MAC address that falls outside of its accepted parameters, it will ignore it. The port will then lock itself down and send out an alert about the malicious traffic.

VLAN Hopping

Anatomy of an Attack: A VLAN Hopping attack takes place in instances where there are multiple VLANs going over one trunk port. The attack itself can occur in one of two ways. The first involves an end station acting as a switch and as a member of multiple VLANs, as opposed to one like a typical access port. This gives it access to all data crossing the VLANs. In the second type, called a Double 802.1Q Encapsulation attack, a second and fraudulent tag is placed on a packet, identifying it as destined for a VLAN other than the one it was meant to be on. This allows it to monitor and interact with the traffic offering on that second VLAN as well as the one it’s supposed to be on.

Countermeasures: There are a number of countermeasures that can be taken at the switch level to prevent the attacks that fall under the designation of VLAN Hopping. For example, admins could require the use of a dedicated VLAN ID for all trunk ports. They could also disable unused ports and house them in an unused VLAN. Disabling auto-trunking on user-facing ports – turning DTP off – can also help.

DHCP Attacks

Anatomy of an Attack: DHCP attacks are a version of a man-in-the-middle attack where a server is set up to act as an intermediary between a client and a DHCP Server. This intermediary could be either a legitimate server that simply has yet to be approved or it could be a rogue server set up by malicious outsiders to intercept sensitive data. In order to keep the ruse going for as long as possible, the rogue server would pass data along to its intended destination after intercepting it.

Countermeasures: Stopping DHCP attacks involving a rogue man-in-the-middle server requires an approach known as “DHCP snooping.” This feature separates requests into two groups: trusted and untrusted sources. Trusted sources are located behind your firewall, including things like your own switches, routers, and servers. Untrusted sources are located outside of that firewall and can include things such as unknown DHCP servers or anything else that could be used by cybercriminals to launch an attack. Requests from untrusted sources are filtered out and that information is stored in a database. Should a request come in from that source again, DHCP snooping will know exactly how to handle it.

Spoofing Attacks

Anatomy of an Attack: Spoofing attacks are just what they sound like: attackers try to act like something they’re not in order to carry out their malicious activities. Spoofing attacks are commonly directed at either MACs or at IPs. Cybercriminals target MACs with a spoofing attack in order to gain network access or to take over the identity of someone already on the network. Meanwhile, IP-targeting spoofing attacks can be used to launch a flood of fraudulent traffic at a switch in an effort to overwhelm it and take it offline.         

Countermeasures: The method for defending against attempts at MAC or IP spoofing is called IP Source Guard. This feature can be activated to monitor for both MAC and IP spoofing, or one or the other. For IP Spoofing, Source Guard will use information contained within the DHCP snooping database to quickly identify known threats, so that feature must already be turned on for this to work. For MAC spoofing, Source Guard must have access to an Option 82-enabled DHCP server, one which router configurations have been altered to support. Once activated, this feature can sniff out IP/MAC spoofing attacks.

Gain a partner in the fight against cyber crime

Want to learn more about these attacks or others which target Layer 2? Arraya’s Network and Security team stands ready to help. Our engineers have decades of experience building, supporting, and securing networks for businesses in all industries. They can walk you through these attacks in more detail and help you gain access to the features and tools you need to ensure your business’ data stays safe.

Start a conversation today by visiting: http://www.arrayasolutions.com/contact-us/. Our team can also be reached through social media: Twitter, LinkedIn, and Facebook. While you’re there, click the Follow button so you can stay in the loop with all of our latest blogs, special events, and industry insights.

Arraya Insights
Back to Top
Arraya Solutions logo

We combine technological expertise and personal service to educate and empower our customers to solve their individual IT challenges.

518 Township Line Road
Suite 250, Blue Bell, PA 19422

p: (866) 229-6234     f: (610) 684-8655
e: info@arrayasolutions.com

  • Careers
  • Privacy Policy
  • Contact Us

© 2025 Arraya Solutions. All rights reserved.

Facebook Twitter YouTube LinkedIn
Manage Cookie Consent
We use cookies to enhance your experience. By selecting “Accept,” you agree to our cookie policy.
Functional Always active
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
Preferences
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
Statistics
The technical storage or access that is used exclusively for statistical purposes. The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
Marketing
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.
Manage options Manage services Manage {vendor_count} vendors Read more about these purposes
View preferences
{title} {title} {title}