
Image by: Brett Sayles
Imagine a malicious actor walking into your office building, carrying nothing more than a small, pocket-sized device. They plug it into an empty Ethernet wall jack in the lobby or a conference room, and within seconds, they have bypassed your entire perimeter firewall, gained an IP address, and are sniffing sensitive traffic. This isn’t a hypothetical scenario; it is a common reality in many corporate environments where Layer 2 security is overlooked. While most security professionals focus heavily on firewalls and intrusion prevention systems at the edge, the internal switching fabric remains a massive, often unhardened, attack surface. In this comprehensive guide, we will detail how to secure Layer 2 Cisco switches against common local network attacks, providing you with the precise CLI commands needed to transform your access and trunk ports into hardened gateways.
Securing the foundation of your network
The Data Link Layer (Layer 2) is often the “forgotten” layer in modern security discussions. We spend countless hours configuring complex ACLs (Access Control Lists) and deep-packet inspection rules at Layer 3 and Layer 7, yet we often leave the underlying switching infrastructure vulnerable to identity spoofing, MAC flooding, and Man-in-the-Middle (MitM) attacks. When an attacker gains physical access to a network port, the traditional “perimeter” is effectively neutralized.
To build a resilient network, you must adopt a “Zero Trust” mindset even at the local level. This means assuming that any port that is physically accessible is a potential entry point for an adversary. By securing the Layer 2 domain, you prevent attackers from performing ARP poisoning, intercepting DHCP transactions, or escalating privileges through VLAN hopping. Whether you are managing a small branch office or a sprawling campus network, mastering these Cisco IOS commands is non-negotiable for any network security engineer.
Disabling unused ports: The first line of defense
The simplest security measure is often the most effective: if a port isn’t being used, it shouldn’t be active. Every open, unused port on a switch is an invitation. An attacker can plug in a rogue device, a wireless access point, or a packet sniffer without triggering any immediate alarms if the port is in its default “up” state.
A common mistake made by junior administrators is leaving ports in a “no shutdown” state merely because they “might need them later.” This creates a massive security hole. The best practice is to move all unused ports into a “black hole” VLAN—a VLAN that has no access to any sensitive resources—and then administratively shut down the interface.
Here is the professional workflow for decommissioning unused ports:
- Identify all ports that do not have an active link or a registered device.
- Assign these ports to a non-routable, isolated VLAN (e.g., VLAN 999).
- Shut down the interface to ensure the physical layer is disabled.
Pro-Tip: Always document your port assignments. There is nothing more dangerous than an administrator shutting down a critical uplink because they mistook it for an unused port due to poor documentation.
To implement this on a Cisco switch, use the following commands:
Switch# configure terminal Switch(config)# interface range fastEthernet 0/1 - 24 Switch(config-if-range)# switchport mode access Switch(config-if-range)# switchport access vlan 999 Switch(config-if-range)# shutdown Switch(config-if-range)# exit
By following this discipline, you drastically reduce the “attack surface” of your physical infrastructure. If you are looking to optimize your IT infrastructure, consider reviewing our network management resources to streamline your deployment processes.
Implementing port security for access ports
Even with unused ports disabled, the ports that are in use are vulnerable to MAC address spoofing and MAC flooding attacks. In a MAC flooding attack, an adversary uses a tool like Macof to send thousands of bogus MAC addresses to the switch. Once the switch’s Content Addressable Memory (CAM) table is full, the switch may start acting like a hub, broadcasting all incoming traffic to every port, allowing the attacker to sniff sensitive data.
Cisco Port Security is the primary mechanism to mitigate this risk. It allows you to limit the number of MAC addresses that can be learned on a single physical port and define what happens when an unauthorized device is connected.
Understanding security violation modes
When a security violation occurs, you can instruct the switch to take several actions:
- Protect: Drops packets from unauthorized MAC addresses but does not send a notification.
- Restrict: Drops unauthorized packets and sends an SNMP trap/log message. It also increments the violation counter.
- Shutdown: The most secure method. It immediately disables the port (puts it in “error-disabled” state) and requires manual intervention to restore service.
For high-security environments, “Shutdown” is the preferred mode. Here is how you configure it:
Switch(config)# interface fastEthernet 0/1 Switch(config-if)# switchport mode access Switch(config-if)# switchport port-security Switch(config-if)# switchport port-security maximum 2 Switch(config-if)# switchport port-security mac-address sticky Switch(config-if)# switchport port-security violation shutdown
The mac-address sticky command is particularly powerful. It allows the switch to learn the MAC address of the currently connected device and write it to the running configuration. This means that if the device is unplugged and a new one is plugged in, the port will trigger a violation, stopping the attacker in their tracks.
DHCP snooping: Preventing rogue DHCP servers
DHCP Snooping is a critical security feature that acts as a firewall between untrusted hosts and trusted DHCP servers. In a standard network, a client sends a broadcast request for an IP address. A rogue DHCP server (either a malicious actor or a misconfigured router) can respond faster than the legitimate server, handing out incorrect gateway addresses or DNS settings. This allows the attacker to perform a Man-in-the-Middle (MitM) attack by redirecting all your traffic through their device.
DHCP Snooping mitigates this by categorizing ports into two types:
- Trusted Ports: These are connected to your legitimate DHCP servers or uplinks to other switches. They are allowed to send DHCP server messages (OFFER/ACK).
- Untrusted Ports: These are all user-facing access ports. If a DHCP server message is detected on an untrusted port, the switch drops it immediately.
To enable DHCP snooping globally and on specific interfaces:
Switch(config)# ip dhcp snooping Switch(config)# ip dhcp snooping vlan 10,20 Switch(config)# interface gigabitEthernet 0/1 Switch(config-if)# ip dhcp snooping trust
By implementing this, you ensure that your network architecture remains stable and that IP address assignments are strictly controlled by authorized devices only. This is a fundamental requirement for any modern enterprise network.
Dynamic ARP inspection: Mitigating Man-in-the-Middle attacks
While DHCP snooping protects the IP assignment process, it doesn’t prevent an attacker from spoofing an ARP (Address Resolution Protocol) message once an IP has been assigned. ARP is a trust-based protocol; it assumes that if a device says, “I am 192.168.1.1,” it is telling the truth. An attacker can exploit this by sending “grat
