F Layer 2 Network Security Features - The Network DNA: Networking, Cloud, and Security Technology Blog
Home / layer2 / Network security / Security / Layer 2 Network Security Features

Layer 2 Network Security Features

March 05, 2026 , ,

Layer 2 of the OSI model (Data Link Layer) is often overlooked in security, but it is susceptible to various attacks. Cisco switches offer several features to mitigate these Layer 2 threats.

We will talk about Port Security, DHCP Snooping and Dynamic Arp Inspection 

Port Security

Port security limits the number of valid MAC addresses allowed on a port. It can be configured to allow only specific MAC addresses or to dynamically learn them. If the number of MAC addresses exceeds the configured limit, the port can be shut down, restricted, or protected.

Port Security

Switch(config-if)# switchport mode access
Switch(config-if)# switchport port-security
Switch(config-if)# switchport port-security maximum 1
Switch(config-if)# switchport port-security mac-address sticky
Switch(config-if)# switchport port-security violation shutdown

  • switchport port-security: Enables port security on the interface.
  • switchport port-security maximum 1: Allows only one MAC address.
  • switchport port-security mac-address sticky: Dynamically learns and saves the MAC address.
  • switchport port-security violation shutdown: Shuts down the port on violation.

DHCP Snooping

DHCP snooping is a security feature that acts as a firewall between untrusted hosts and trusted DHCP servers. It prevents rogue DHCP servers from issuing IP addresses and mitigates DHCP starvation attacks. It builds and maintains a DHCP snooping binding database.

Switch(config)# ip dhcp snooping
Switch(config)# ip dhcp snooping vlan 10
Switch(config)# interface GigabitEthernet0/1
Switch(config-if)# ip dhcp snooping trust
Switch(config-if)# interface GigabitEthernet0/2
Switch(config-if)# ip dhcp snooping limit rate 5

  • ip dhcp snooping: Enables DHCP snooping globally.
  • ip dhcp snooping vlan 10: Enables DHCP snooping for a specific VLAN.
  • ip dhcp snooping trust: Configures the interface connected to the DHCP server as trusted.
  • ip dhcp snooping limit rate 5: Limits the rate of DHCP messages on an untrusted port.

Dynamic ARP Inspection (DAI)

Dynamic ARP Inspection (DAI) prevents ARP spoofing and ARP poisoning attacks by validating ARP packets. It intercepts all ARP requests and responses on untrusted ports and verifies them against the DHCP snooping binding database.

Switch(config)# ip arp inspection vlan 10
Switch(config)# interface GigabitEthernet0/1
Switch(config-if)# ip arp inspection trust

  • ip arp inspection vlan 10: Enables DAI for a specific VLAN.
  • ip arp inspection trust: Configures the interface connected to trusted devices (e.g., router, legitimate DHCP server) as trusted.