Category: Security Basics

Layer 2 Best Practices


I am currently working Layer 2 best practices. To help reinforce this I am using the above lab setup. I’ll be mainly working on the switches you see in the topology although I might call in the Kali Linux machine and run some attacks on the switches after I have configured some of the security features to demonstrate how they work.

To get started lets see what the current state of the interfaces are, are they access ports or trunk ports and what vlan are they in? To do this use the command:

show interfaces status

int status

We can see that port Gi0/0 is a trunk port. This is the port connected to R1. Gi0/1 is an access port and in VLAN 10 this is the port connected to the PC1 and ports Gi3/2 and Gi3/3 are trunk ports connected to SW2.

Locking Down Ports

In the printout below I move ports Gi0/2 and Gi0/3 using the range command into VLAN 100. This VLAN is used as a placeholder for ports that haven’t been assigned to particular VLAN yet. I’ve also configured the port as an access port and disabled auto-negotiate which turns off DTP. To finish off I’ve ‘shutdown’ the ports instead of leaving them up.


Run #show interface status


As you can see ports (interfaces) Gi0/2 and Gi0/3 are now members of VLAN 100 and are also disabled i.e. shutdown. You would repeat this for all other unused ports on the switch to secure it. When a port is needed you just go into the interface and configure the VLAN it belongs to and do a ‘no shut’ to bring the port back up. Or you could change it over to a trunk port using the following commands:


Above shows how to configure a port (interface) as a trunk port. You first need to tell the port what encapsulation to use you can select dot1q or isl (cisco proprietary) or negotiate. I selected dot1q. I configured the port as a trunk and also told it to use the native vlan 99. Although not shown here you would also disable DTP on the port using the nonegotiate command.

So why disable DTP? Well if someone wanted to gain access to your network they could plug in their laptop to a switchport or a wall jack and run a piece of software that could run DTP and negotiate a trunk port tricking the switch into thinking it is connected to another switch. The attacker would have access to all the VLANs on that switch and could sniff the traffic to see what was on the network. By disabling DTP using the ‘nonegotiate’ command you prevent this from happening.

In my next couple of posts, I’ll be covering port security, BPDU Guard, Root Guard, DHCP snooping, and access lists and showing how to configure them and run some attacks against them.



1.1a CIA

No not that CIA! The CIA that is related to the security industry stands for Confidentiality, Integrity and Availability these form the security triad.


Confidentiality allows access to data only to authorized personnel unauthorized personnel cannot access the data. You can ensure confidentiality using Encryption such as AES (Advanced Encryption Standard).


When you receive data you want to make sure what you are receiving is the original piece of data such as a file. One way to ensure Integrity is using hashing algorithms such as MD5 and SHA-1. If I was to send you a file over the internet I cannot guarantee that it wasn’t intercepted along the way and changed by someone else. However if I was to use a hashing algorithm like MD5 I could make a hash of the file before sending it to you and send you the hash along with the file (via email) that way when you receive the file you could run the same MD5 hash on the file, if they match you can safely say that the file hasn’t been changed along the way.


It is important to make sure your data is available when needed. Companies would do this by having a second (backup) web server available if their primary web server went down or was taken down by an attacker. This also applies to power, off site backups and cooling systems.