Module 14: Quiz – Layer 2 Security Considerations (Answers) Network Security

Explanation: PVLAN protected ports do not exchange any data traffic with other protected ports. The only traffic that is exchanged between protected ports is control traffic generated by network devices.

Explanation: DAI can be configured to check for both destination or source MAC and IP addresses:

• Destination MAC – Checks the destination MAC address in the Ethernet header against the target MAC address in the ARP body.
• Source MAC – Checks the source MAC address in the Ethernet header against the sender MAC address in the ARP body.
• IP address – Checks the ARP body for invalid and unexpected IP addresses including addresses 0.0.0.0, 255.255.255.255, and all IP multicast addresses.

Explanation: A MAC address (CAM) table overflow attack, buffer overflow, and MAC address spoofing can all be mitigated by configuring port security. A network administrator would typically not want to disable STP because it prevents Layer 2 loops. DTP is disabled to prevent VLAN hopping. Placing unused ports in an unused VLAN prevents unauthorized wired connectivity.

Explanation: DCHP starvation attacks are launched by an attacker with the intent to create a DoS for DHCP clients. To accomplish this goal, the attacker uses a tool that sends many DHCPDISCOVER messages in order to lease the entire pool of available IP addresses, thus denying them to legitimate hosts.

Explanation: Security is only as strong as the weakest link in the system, and Layer 2 is considered to be that weakest link. In addition to protecting Layer 3 to Layer 7, network security professionals must also mitigate attacks to the Layer 2 LAN infrastructure.

Explanation: When other factors are equal, the switch with the lowest MAC address will have the lowest BID, and will become the root bridge. STP functions on Layer 2 and does not use IP addressing as a factor.​

Explanation: When the MAC address table is full, the switch treats the frame as an unknown unicast and begins to flood all incoming traffic to all ports only within the local VLAN.

Explanation: Macof is a network attack tool and is mainly used to flood LAN switches with MAC addresses.

Explanation: STP uses a root bridge as a central point for all spanning tree calculations. To select a root bridge, STP conducts an election process. All switches in the broadcast domain participate in the election process. The switch with the lowest bridge ID, or BID, is elected as the root bridge. The BID is made up of a priority value, an extended system ID, and the MAC address of the switch.

Explanation: There are two methods for mitigating VLAN hopping attacks:

1. disabling automatic trunking negotiation on switchports
2. turning trunking off on all unused nontrunk switchport

Explanation: Cisco provides solutions to help mitigate Layer 2 attacks including these:

• IP Source Guard (IPSG) – prevents MAC and IP address spoofing attacks
• Dynamic ARP Inspection (DAI) – prevents ARP spoofing and ARP poisoning attacks
• DHCP Snooping – prevents DHCP starvation and SHCP spoofing attacks
• Port Security – prevents many types of attacks including MAC table overflow attacks and DHCP starvation attacks

Web Security Appliance (WSA) is a mitigation technology for web-based threats.

Explanation: PVLANs are used to provide Layer 2 isolation between ports within the same broadcast domain. The level of isolation can be specified with three types of PVLAN ports:

• Promiscuous ports that can forward traffic to all other ports
• Isolated ports that can only forward traffic to promiscuous ports
• Community ports that can forward traffic to other community ports and promiscuous ports

Explanation: Like Dynamic ARP Inspection (DAI), IP Source Guard (IPSG) needs to determine the validity of MAC-address-to-IP-address bindings. To do this IPSG uses the bindings database built by DHCP snooping.