Layer 2 Security Best Practices
Single security zone, multiple user groups, single physical switch

In this design VLANs are used to logically separate the traffic of multiple user groups within a single physical network . A typical example of such a design would be an application service provider data center or different departments within a single corporate enterprise that require data segregation.

Vulnerabilities
The primary layer 2 vulnerabilities of this design include the following:

  • MAC spoofing
  • CAM table overflow
  • VLAN hopping

Mitigation
If the security zone is small enough, use port security to help mitigate the CAM table overflow vulnerability as well as the MAC spoofing vulnerability. Additionally, mitigation of VLAN hopping can be accomplished by using the following VLAN best practices as guidelines:

  • Use dedicated VLAN IDs for all trunk ports.
  • Disable all unused switch ports and place them in an unused VLAN.
  • Set all user ports to non-trunking mode by explicitly turning off DTP on those ports.

As with the previous cases, the switches must be managed as securely as possible and tested on a regular basis.