2 Vlan Security: 14.9.11 Packet Tracer - Layer

Cisco’s Packet Tracer activity is an excellent, hands-on lab that forces you to think like both a network admin and a hacker. It focuses on three critical Layer 2 vulnerabilities and their mitigations: MAC Flooding , VLAN Hopping (Switch Spoofing) , and DHCP Starvation .

Port Security.

That’s where comes in. It’s the often-overlooked foundation of network defense. 14.9.11 packet tracer - layer 2 vlan security

Take the time to run this lab. Break it on purpose. Watch the show port-security , show dhcp snooping binding , and show interfaces status err-disabled outputs.

On any port that should not be a trunk (i.e., all end-user ports), explicitly turn off trunking: Cisco’s Packet Tracer activity is an excellent, hands-on

Disable DTP and set trunking manually.

ip dhcp snooping ip dhcp snooping vlan 10,20 interface g0/1 ip dhcp snooping trust interface range fa0/1-24 ip dhcp snooping limit rate 10 no ip dhcp snooping trust Now, only the uplink port can send DHCP Offer/ACK messages. Any rogue server on an access port will be ignored. That’s where comes in

interface g0/1 switchport trunk native vlan 999 Then, ensure VLAN 999 exists but is used nowhere else. No user devices, no DHCP, no routing.

Let’s break down what this lab teaches and why it matters in the real world. Imagine you are responsible for a corporate network. Users are in VLAN 10 (Employees) and VLAN 20 (Guests). The lab presents a simple topology: one multilayer switch (distribution), one layer 2 switch (access), and a few PCs.

Move the native VLAN to an unused, "dead-end" VLAN.

On the access ports connecting to end devices (Fa0/1, Fa0/2, etc.), you need to lock down the MAC addresses.