Copyright (c) 2026 MindMesh Academy. All rights reserved. This content is proprietary and may not be reproduced or distributed without permission.

6.7. Layer 2 Security Features

💡 First Principle: Most security controls focus on Layer 3 and above—firewalls filter IP addresses, ACLs check ports. But attackers on your local network can exploit Layer 2, bypassing all those controls. If an attacker is on the same VLAN as your users, they can launch devastating attacks that never touch your firewall.

Consider this scenario: A visitor plugs their laptop into an open Ethernet jack in a conference room. They run a rogue DHCP server. Suddenly, all nearby users get the attacker's IP as their default gateway. Every password, every email, every file transfer flows through the attacker's laptop before reaching the real network. Your expensive firewall never sees the attack—it's all Layer 2 within the VLAN.

What happens without Layer 2 security: Switches are trusting by default. They believe whatever MAC address a device claims. They accept whatever DHCP server responds first. They forward ARP replies without question. Attackers exploit this trust. The features in this section restore sanity: trust the ports connected to your infrastructure, distrust everything else.

Think of it like a nightclub bouncer: staff entering from the back office are trusted (uplink ports), but everyone coming through the front door gets checked (access ports). Layer 2 security features let your switches become that bouncer—verifying claims before allowing traffic to flow.

The big three Layer 2 attacks:
  • Rogue DHCP: Attacker runs a DHCP server and becomes the default gateway—all traffic flows through them
  • ARP spoofing: Attacker poisons ARP caches to intercept traffic between two other devices
  • MAC flooding: Attacker overloads the MAC table, forcing the switch to flood traffic (becomes a hub)