Layer 2 Vulnerabilities

August 27, 2020

Recall that the OSI reference model is divided into seven layers which work independently of each other. The figure shows the function of each layer.

Network administrators routinely implement security solutions to protect the elements in Layer 3 up through Layer 7. They use VPNs, firewalls, and IPS devices to protect these elements. However, if Layer 2 is compromised, then all the layers above it are also affected. For example, if a threat actor with access to the internal network captured Layer 2 frames, then all the security implemented on the layers above would be useless. The threat actor could cause a lot of damage on the Layer 2 LAN networking infrastructure.


Security is only as strong as the weakest link in the system, and Layer 2 is considered to be that weak link. This is because LANs were traditionally under the administrative control of a single organization. We inherently trusted all persons and devices connected to our LAN. Today, with BYOD (Bring Your Own Device) and more sophisticated attacks, our LANs have become more vulnerable to penetration. Therefore, in addition to protecting Layer 3 to Layer 7, network security professionals must also mitigate attacks to the Layer 2 LAN infrastructure.

Attacks against the Layer 2 LAN infrastructure are described in the table

Category Examples
MAC Table Attacks MAC address flooding attacks
ARP Attacks ARP spoofing
STP Attacks Spanning Tree Protocol manipulation attacks
DHCP Attacks DHCP spoofing attacks
VLAN Attacks VLAN hopping and VLAN double-tagging attacks
Address Spoofing Attacks MAC and IP addresses spoofing attacks

Mitigation Techniques

To improve layer 2 security, it is recommended to:

  • Use ACLs to filter unwanted access
  • Use a dedicated management VLAN
  • Use secure variants of these protocols such as SSH, Secure Copy Protocol (SCP), Secure FTP (SFTP), and Secure Socket Layer/Transport Layer Security (SSL/TLS
  • Consider using out-of-band management network to manage devices

Solution Description
Dynamic ARP Inspection Prevents ARP spoofing
Port Security Prevents many types of attacks including MAC address flooding attacks
DHCP Snooping Prevents DHCP spoofing attacks
IP Source Guard Prevents MAC and IP address spoofing attacks

You may also like