What are the four main Layer 2 mitigation techniques, and which attacks does each prevent?
The four main solutions are: Port Security (MAC (Media Access Control) flooding), DHCP (Dynamic Host Configuration Protocol) Snooping (DHCP attacks), Dynamic ARP (Address Resolution Protocol) Inspection (ARP attacks), and IP (Internet Protocol) Source Guard (address spoofing). They won't work if management protocols aren't also secured.
* DHCP snooping's binding table underpins DAI (Dynamic ARP Inspection) and IPSG (IP Source Guard). *
| Solution | Prevents | How It Works |
|---|---|---|
| Port Security | MAC address flooding, DHCP starvation | Limits the number of MAC addresses allowed on a port |
| DHCP Snooping | DHCP starvation, DHCP spoofing | Classifies ports as trusted/untrusted; blocks rogue DHCP server messages on untrusted ports |
| Dynamic ARP Inspection (DAI) | ARP spoofing, ARP poisoning | Validates ARP packets against DHCP snooping binding table |
| IP Source Guard (IPSG) | IP spoofing, MAC spoofing | Filters traffic based on DHCP snooping binding table — only allows traffic from legitimately assigned IPs |
Critical additional requirements: These Layer 2 solutions are useless if the management protocols aren't secured:
- Use SSH (Secure Shell) (not Telnet) for device management
- Use SCP (Secure Copy Protocol)/SFTP (Secure File Transfer Protocol) (not FTP (File Transfer Protocol)) for file transfers
- Use SSL (Secure Sockets Layer)/TLS (Transport Layer Security) for web-based management
- Consider out-of-band management (separate management network)
- Use a dedicated management VLAN (Virtual Local Area Network) with ACLs (Access Control Lists)
- Filter unwanted access with ACLs
Tip: These four mechanisms form a defense-in-depth stack — DHCP Snooping is the foundation (builds the binding table), DAI and IPSG consume that table, and Port Security provides the MAC-level enforcement.
Go deeper:
MAC filtering — Port security (Wikipedia) — the per-port MAC-limit mechanism behind Port Security.