5.0 Security Fundamentals
5.7 Layer 2 security features in IOS devices
Layer 2 security features in Cisco IOS devices are used to secure data transmission at the data link layer of the OSI model. These features can help to prevent unauthorized access to network resources, protect against network-based attacks, and enforce network security policies. Some common layer 2 security features in Cisco IOS devices include:
1. Port Security - This feature allows you to restrict the number of MAC addresses that can be associated with a port, helping to prevent unauthorized access.
2. Dynamic ARP Inspection (DAI) - This feature helps to prevent ARP spoofing attacks by verifying the ARP packets on a network and discarding any that appear to be fraudulent.
3. DHCP Snooping - This feature helps to prevent DHCP spoofing attacks by only allowing legitimate DHCP server responses to be processed by clients on the network.
4. IP Source Guard - This feature helps to prevent IP spoofing attacks by restricting the IP addresses that can be used on a specific port or VLAN.
5. Storm Control - This feature helps to prevent network-based denial of service (DoS) attacks by monitoring and controlling the rate of broadcast, multicast, and unknown unicast traffic on a port or VLAN.
6. BPDU Guard - This feature helps to prevent unauthorized switches from being connected to a network by disabling the port if an unauthorized BPDU (Bridge Protocol Data Unit) is detected.
These layer 2 security features can be configured on Cisco IOS devices to help secure the network and protect against a variety of network-based attacks. The specific configuration will depend on the specific requirements of the network, such as the level of security desired and the types of threats that are being targeted.