Skip to content
/ Layer2AttacksLab Public

A lab in which the execution and prevention of layer 2 attacks are detailed.

License

MIT license
0 stars 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

101zh/Layer2AttacksLab

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

5 Commits
ARPSpoofing
ARPSpoofing
 
 
DHCPStarvation
DHCPStarvation
 
 
DeviceConfigurations
DeviceConfigurations
 
 
MACFlooding
MACFlooding
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
topology.pkt
topology.pkt
 
 
topology.png
topology.png
 
 

Repository files navigation

Three Layer 2 Attacks Execution and Prevention

A lab in which the execution and prevention of layer 2 attacks are detailed. Device configurations and the ways to execute attacks are detailed in the corresponding folders.

Background information on lab concepts can be found here: https://101zh.github.io/networking/

Contents

Purpose

The purpose of this lab is to perform three layer 2 attacks to understand them. Then to discover how to prevent and mitigate these attacks. This lab’s purpose is the demonstrate practices that can prevent a network from being attacked from layer 2.

Execution and prevention of attacks can be found here:

Lab Summary

In this lab, three layer 2 attacks were performed: MAC flooding, DHCP starvation & VLAN hopping, and ARP spoofing. These attacks were performed on a common office network with an access point, a switch, and a router. This report details how to perform these attacks as well as mitigate each of these attacks in their respective sections.

More details on the configuration of this topology can be found here: https://github.com/101zh/StandaloneAccessPointLab

Note: a VLAN other than VLAN 1 should be used as the native VLAN to further mitigate VLAN hopping attacks, but it is not configured here.

Topology

IPv4 topology

Lab Commands

  • interface {type slot/port}
    • switchport port-security maximum [number-of-addresses]
      • Sets the maximum number of mac-addresses a port can learn
    • switchport mode access
      • Sets the interface to a non-trunking VLAN layer 2 interface
    • switchport access vlan [vlan-number]
      • Sets the VLAN the interface operates in for access mode
    • ip dhcp snooping trust
      • Configures the specified interface to be a trusted interface. By default, interfaces are not trusted. Usually, interfaces that are configured as trusted are the interface closest to the DHCP server.
    • switchport port-security
      • Enables port security on the specified interface
    • switchport port-security aging time [time]
      • Sets the time for which a mac-address is remembered as a secure address.
    • switchport port-security aging type {absolute | inactivity}
      • Sets the type of aging the port will use. The type of inactivity sets it so that the mac-addresses are forgotten after a period of inactivity specified by the aging time. The type of absolute, which is default, will forget a mac-address in the specified aging time after it was learned.
    • switchport port-security mac-address {mac-addr | sticky}
      • Specifies the secure mac-addresses. Addresses can be statically set or by using the keyword “sticky,” mac-addresses can be dynamically learned.
    • switchport nonegotiate
      • Statically sets the specified interface to not use Dynamic Trunking Protocol (DTP)
  • ip dhcp snooping
    • Enables DHCP snooping globally in the switch
  • ip dhcp snooping verify mac-address
    • Configures the switch to verify that the mac-address learned on the port matches the mac-address field in DHCP packets
  • ip arp inspection vlan [vlan-number1 … vlan-number8]
    • Enables dynamic ARP inspection (DAI) on the specified VLANs
  • ip arp inspection validate {dst-mac | src-mac}
    • Validates the ARP frames that go through the switch. The two options configure DAI to compare the ethernet mac-addresses of the destination and source to the ARP body, respectively.
  • ip arp gratuitous none
    • Rejects gratuitous ARPs.

Copyright

MIT License

Copyright (c) 2026 101zh

Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:

The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

About

A lab in which the execution and prevention of layer 2 attacks are detailed.

Topics

networking arp-spoof-attack arp-spoofing layer2 dhcp-starvation-attack arp-spoof computer-networking-lab layer-2 dhcp-starvation networking-labs mac-flooding layer2-attacks networking-lab layer-2-attack layer-2-attacks

Resources

Readme

License

MIT license
Activity

Stars

0 stars

Watchers

1 watching

Forks

0 forks
Report repository