This chapter covers the following subjects

• Mitigation of Layer 2 Attacks

Unlike hubs, switches cannot regulate the flow of data between their ports by creating almost "instant" networks that contain only the two end devices communicating with each other. Data frames are sent by end systems, and their source and destination addresses are not changed throughout the switched domain. Switches maintain content-addressable memory (CAM) lookup tables to track the source addresses located on the switch ports. These lookup tables are populated by an address-learning process on the switch. If the destination address of a frame is not known or if the frame received by the switch is destined for a broadcast address, the switch forwards the frame out all ports. With their ability to isolate traffic and create the "instant" networks, switches can be used to divide a physical network into multiple logical or VLANs through the use of Layer 2 traffic segmentation.

VLANs enable network administrators to divide their physical networks into a set of smaller logical networks. Like their physical counterparts, each VLAN consists of a single broadcast domain isolated from other VLANs and work by tagging packets with an identification header and then restricting the ports that the tagged packets can be received on to those that are part of the VLAN. The two most prevalent VLAN tagging techniques are the IEEE 802.1q tag and the Cisco Inter-Switch Link (ISL) tag.

This chapter discusses Layer 2 attacks, mitigations, best practices, and functionality.



0 0

Post a comment