Take the time to run this lab. Break it on purpose. Watch the show port-security , show dhcp snooping binding , and show interfaces status err-disabled outputs.
Cisco’s Packet Tracer activity is an excellent, hands-on lab that forces you to think like both a network admin and a hacker. It focuses on three critical Layer 2 vulnerabilities and their mitigations: MAC Flooding , VLAN Hopping (Switch Spoofing) , and DHCP Starvation .
Happy (secure) switching.
Instead of using VLAN 1 (the default native VLAN), change it to, for example, VLAN 999. 14.9.11 packet tracer - layer 2 vlan security
On any port that should not be a trunk (i.e., all end-user ports), explicitly turn off trunking:
Port Security.
interface range fa0/1-24 switchport mode access switchport nonegotiate On the actual trunk between switches: Take the time to run this lab
Never use VLAN 1 for anything. Not for native VLAN, not for management, not for users. VLAN 1 is the universal key to many Layer 2 attacks. Step 4: DHCP Snooping – Stopping the Rogue Server The Threat: An attacker plugs in a laptop running a rogue DHCP server. When legitimate clients broadcast for an IP, the rogue server replies first, giving them a malicious gateway (the attacker) or a bogus DNS server (phishing).
That’s where comes in. It’s the often-overlooked foundation of network defense.
interface g0/1 switchport trunk native vlan 999 Then, ensure VLAN 999 exists but is used nowhere else. No user devices, no DHCP, no routing. Cisco’s Packet Tracer activity is an excellent, hands-on
On the access ports connecting to end devices (Fa0/1, Fa0/2, etc.), you need to lock down the MAC addresses.
By default, switches are trusting. And trust, in security, is a vulnerability.
ip dhcp snooping ip dhcp snooping vlan 10,20 interface g0/1 ip dhcp snooping trust interface range fa0/1-24 ip dhcp snooping limit rate 10 no ip dhcp snooping trust Now, only the uplink port can send DHCP Offer/ACK messages. Any rogue server on an access port will be ignored.