General Layer 2 Security Recommendatinos

• Put unused switch ports in an unused VLAN & not use the VLAN 1.
• Native VLANs are not use on trunks.
• Reason is, an attacker on an access port might be able to hop from its access port VLAN to a trunk's native VLAN by sending frames that begin with multiple 802.1Q header.
• Cisco suggest using a different native VLAN for each trunk.
• Private VLANs restrict hosts on some ports from sending frames directly to each other.
• Private VLANs are created with some number of selected ports in the primary VLAN, with other isolated & community ports in one or more secondary VLANs.
• Isolated ports can send frames only to selected ports, and community ports can send frames to selected ports & other community ports in the same 2ry VLAN.
• Private VLANs could be applied generally for better security by making user ports isolated,
• They only allowing them access to ports like routers, servers or other network services.
• However, DHCP snooping, DAI & IP source gaurd are typically better choices
• Attackers uses the default gateway to overcome security provided by PVlans,
• to solve this router simply need inbound ACL, that denies traffic whose source & destination ip address are in the same local connected subnet.