Although security considerations are explicitly not part of this book, the following brief discussion of Layer 2 security is the famous exception to the rule. To put things into perspective, just consider the following statements and suggestions when dealing with Layer 2 security:
In essence, VLANs are not impenetrable, and neither are VLAN trunks.
STP is slowly converging. If failing, it effectively brings down entire switched networks.
The more performing a device is, the more it is vulnerable to denial of service (DoS) attacks, and the more disastrous the effects get. If you do not believe this statement, try a debug all on a Cisco 12000 backbone router.
Always configure passwords when using VTP.
Protect important devices (gateways) with permanent (static) MAC entries.
Spoofing attacks work using three hooks on several layers:
- ARP protocol/caches
- IP source address spoofing
- DNS resolution
Possible attack patterns include the following:
Switch saturation might lead to VLAN leaking
Broadcast and multicast issues
ARP cache poisoning
VLAN hopping (forged VLAN identifiers)
VTP attacks
STP attacks (BPDUs)