What is ARP cache poisoning and how is it mitigated?

ARP cache poisoning sends forged ARP replies to associate an attacker's MAC address with a legitimate IP, enabling man-in-the-middle attacks. Mitigations include Dynamic ARP Inspection (DAI) on switches, which validates ARP packets against a trusted DHCP snooping binding table, and static ARP entries for critical hosts.

What is VLAN hopping and how is it prevented?

VLAN hopping allows an attacker to access traffic from a different VLAN by exploiting trunk negotiation protocols (DTP) or double-tagging. Prevention: disable DTP on all access ports (switchport nonegotiate), set all unused ports to a dedicated unused VLAN, and never use native VLAN 1 for user traffic.

What is 802.1X and how does it work?

802.1X is a port-based Network Access Control protocol. A supplicant (client device) authenticates to an authenticator (switch/WAP) which forwards credentials to a RADIUS authentication server. Only authenticated devices are granted network access — unauthenticated devices are blocked or placed in a guest VLAN.

What is bogon filtering?

Bogon filtering blocks traffic from IP addresses that should never appear on the public internet — unallocated, reserved, or private address ranges (RFC 1918, loopback, APIPA). It prevents IP spoofing attacks that use these addresses and reduces attack surface by blocking obviously illegitimate traffic at the perimeter.

What are IPv6 Router Advertisement attacks?

IPv6 Router Advertisement (RA) attacks involve sending forged RA messages to redirect traffic through an attacker-controlled router or create a denial of service. Mitigations include RA Guard (blocks unauthorized RA messages on access ports), DHCPv6 snooping, and disabling IPv6 on interfaces that don't require it.

GIAC GDSA Certification: Network Layer Defense Study Guide (Domain 2 of 6)

What This Domain Covers

This domain covers defensive techniques at the lowest network layers — physical, data link, and network — plus IPv6. Understanding how attacks work at each layer is prerequisite to designing controls that prevent them.

🔌

Layer 3 Defense

CIDR, routing attacks, SNMP/NTP hardening, bogon filtering, ACLs

🔀

Layer 2 Defense

VLANs, ARP poisoning, MAC spoofing, DHCP starvation, VLAN hopping, CDP

🔑

802.1X & NAC

Port-based authentication and network access control for identity-based admission

🌐

IPv6 Security

Addressing, dual-stack, tunneling risks, and Router Advertisement attack mitigation

🎯 GDSA Exam Approach for This Domain

Expect attack → mitigation pairing questions: "An attacker performs X attack — which control prevents it?" Know the attack mechanism, which OSI layer it operates on, and the specific Cisco/vendor feature or protocol that mitigates it. Don't just know what ARP poisoning is — know that Dynamic ARP Inspection (DAI) is the mitigation and that it requires DHCP Snooping to be enabled first.

Key Concepts Deep Dive

Click each section to expand detailed attack/defense coverage.

🔌

Layer 3 Defense: Routing, SNMP, NTP, Bogon Filtering

CIDR, routing attacks, management protocol hardening

High Frequency ▾

CIDR and Routing Fundamentals

CIDR (Classless Inter-Domain Routing): Replaces classful addressing — allows flexible subnet sizing. /24 = 256 hosts, /16 = 65,536 hosts. Critical for designing segmented networks
Route poisoning / BGP hijacking: Attackers advertise false routes to redirect traffic. Mitigation: BGP route filtering, RPKI (Resource Public Key Infrastructure) for origin validation, MD5 authentication on BGP peers
IP spoofing: Attackers forge source IP addresses. Mitigation: Ingress filtering (BCP38/RFC 2827) — ISPs/edge routers drop packets with source IPs that shouldn't originate from that interface

SNMP Security

⚔️ Attacks

SNMPv1/v2c use community strings in cleartext — easily sniffed
Default "public" community string exploited for enumeration
Write access (SNMP SET) can modify device configuration

🛡️ Mitigations

Upgrade to SNMPv3 — authentication (MD5/SHA) + encryption (DES/AES)
Restrict SNMP access to management VLAN via ACLs
Disable SNMP entirely on devices that don't need it
Use non-default community strings if v1/v2 required

NTP Security

NTP attacks: Time manipulation can break log correlation, invalidate certificates, and cause Kerberos authentication failures (5-minute clock skew tolerance)
NTP amplification DDoS: Uses monlist command to reflect large NTP responses at victims
Mitigations: NTPv4 with authentication, disable monlist (noquery), use internal NTP hierarchy with trusted external time sources, restrict NTP to management network

Bogon Filtering

Bogons: IP addresses that should never appear on the public internet — RFC 1918 private ranges (10.x, 172.16-31.x, 192.168.x), loopback (127.x), link-local (169.254.x), APIPA, and unallocated ranges
Why filter bogons: Prevents IP address spoofing from private/non-routable ranges, blocks traffic that couldn't possibly be legitimate on the internet
Implementation: ACLs at perimeter routers dropping packets with bogon source addresses; subscribe to Team Cymru Bogon Reference for updated lists

💡 Exam tip: SNMPv3 is the only secure SNMP version. v1/v2c transmit community strings in cleartext. Know that NTP time manipulation breaks Kerberos (5-min tolerance).

🔀

Layer 2 Attacks: VLANs, ARP, MAC, DHCP

The most common switch-level attack vectors

Very High Frequency ▾

VLAN Security

VLANs: Logical segmentation at Layer 2 — separate broadcast domains. Tag-based (802.1Q). Trunk links carry multiple VLANs; access ports carry one
Native VLAN: Untagged traffic on a trunk port. Default is VLAN 1 — never use VLAN 1 for user traffic; change native VLAN to unused VLAN
VLAN hopping (double-tagging): Attacker on native VLAN sends double-tagged frames — outer tag stripped by first switch, inner tag forwards frame into target VLAN. Prevention: change native VLAN to unused VLAN, enable explicit tagging on all trunk ports
VLAN hopping (DTP spoofing): Attacker negotiates a trunk link by sending DTP frames, gaining access to all VLANs. Prevention: switchport mode access on all access ports, disable DTP with switchport nonegotiate

ARP Cache Poisoning

⚔️ How It Works

ARP is stateless — gratuitous ARP accepted without request
Attacker sends forged ARP replies mapping victim's IP to attacker's MAC
Enables MITM: traffic flows through attacker before reaching destination

🛡️ Mitigations

Dynamic ARP Inspection (DAI): Validates ARP packets against DHCP Snooping binding table; drops invalid mappings
Static ARP entries for critical hosts (gateways)
Network monitoring for duplicate MAC/IP mappings

MAC Spoofing & Flooding

MAC spoofing: Attacker changes their MAC to impersonate another host. Mitigation: Port security (limit MACs per port, shutdown on violation), 802.1X authentication
MAC flooding: Attacker floods switch with thousands of fake MACs, filling the CAM table, causing the switch to broadcast all traffic (fail-open). Mitigation: Port security with maximum MAC count, 802.1X

DHCP Starvation & Rogue DHCP

⚔️ Attack

DHCP starvation: exhausts all IP leases with spoofed MAC requests → DoS
Rogue DHCP: attacker provides IP, gateway, and DNS → MITM or DNS hijacking

🛡️ DHCP Snooping

Marks switch ports as trusted (uplinks) or untrusted (access ports)
Untrusted ports: only DHCP client requests allowed (DISCOVER, REQUEST)
Trusted ports: DHCP server responses allowed (OFFER, ACK)
Maintains binding table used by DAI and IP Source Guard

CDP (Cisco Discovery Protocol)

Risk: CDP broadcasts device information (model, IOS version, IP, capabilities) unencrypted to all adjacent devices — invaluable attacker reconnaissance data
Mitigation: Disable CDP on all access ports (no cdp enable on interface); enable only on trunk uplinks to other network equipment if required for network management

💡 Key dependency chain: DHCP Snooping must be enabled BEFORE DAI and IP Source Guard. DAI uses the DHCP snooping binding table to validate ARP. This dependency appears in exam questions.

🔑

802.1X Port-Based Authentication & NAC

Identity-based network access control

Very High Frequency ▾

802.1X components:
- Supplicant: The client device requesting access (runs 802.1X client software)
- Authenticator: The switch or WAP that enforces access control; passes credentials to authentication server
- Authentication Server: Typically a RADIUS server (e.g., FreeRADIUS, Cisco ISE, Microsoft NPS) that validates credentials and sends access-accept or access-reject
EAP (Extensible Authentication Protocol): The authentication framework used within 802.1X. Common variants: EAP-TLS (certificate-based, strongest), EAP-PEAP (password + TLS tunnel), EAP-TTLS
Port states: Unauthorized (only EAP traffic allowed), Authorized (full network access), Guest VLAN (limited access for failed authentication or devices without 802.1X support)
Machine authentication vs user authentication: Machine auth validates the device certificate before login; user auth validates credentials at login time. Both together provides strongest assurance
MAB (MAC Authentication Bypass): For devices that can't run 802.1X (printers, IP phones). Authenticates by MAC address — weaker than 802.1X but better than no authentication

Network Access Control (NAC)

NAC extends 802.1X: Adds posture assessment — checks device health (patch status, AV signature, OS version) before granting full access
Remediation VLAN: Non-compliant devices placed in restricted VLAN for patching/remediation before gaining production access
Agentless vs agent-based: Agent-based provides deeper posture assessment; agentless uses network scanning (less visibility)
Guest access: NAC can provision time-limited guest credentials with internet-only access in a segmented guest VLAN

💡 802.1X + NAC is the primary Layer 2 identity control. For the exam: 802.1X authenticates the device/user; NAC validates device health. Together they implement Zero Trust at the access layer.

🌐

IPv6 Security: Addressing, Dual-Stack, RA Attacks

The security implications of IPv6 in enterprise environments

High Frequency ▾

IPv6 Fundamentals

Address format: 128-bit hexadecimal (e.g., 2001:db8::1). Provides 2^128 addresses — no NAT required, every device can have a globally unique address
Address types: Unicast (one-to-one), Multicast (one-to-many), Anycast (one-to-nearest). No broadcast in IPv6 — replaced by multicast
Link-local addresses: FE80::/10 — automatically configured, not routable. Used for neighbor discovery and SLAAC
Global unicast: 2000::/3 — publicly routable, allocated by IANA/RIRs
Neighbor Discovery Protocol (NDP): IPv6 replacement for ARP. Uses ICMPv6 messages — also exploitable (ND spoofing equivalent to ARP poisoning)

Dual-Stack Risks

Dual-stack: Device runs both IPv4 and IPv6 simultaneously. Most modern OSes enable IPv6 by default
Security gap: Organizations secure IPv4 perimeter but ignore IPv6 traffic — attackers use IPv6 to bypass IPv4-only security controls (firewalls, IDS rules)
Mitigation: Apply equivalent security policies to both IPv4 and IPv6 traffic; if IPv6 isn't needed, disable it at the OS and network level

Tunneling Risks

6to4, Teredo, ISATAP: IPv6-over-IPv4 tunneling protocols. Can bypass IPv4 security controls by encapsulating IPv6 traffic in IPv4 packets
Mitigation: Block tunneling protocols at the perimeter (block proto 41 for 6in4, filter UDP 3544 for Teredo); explicitly disable Teredo in Windows group policy

Router Advertisement (RA) Attacks

⚔️ RA Attack Mechanism

IPv6 uses Router Advertisement messages (ICMPv6 type 134) for SLAAC — hosts auto-configure their address and default gateway from RA messages
Attacker sends forged RA messages claiming to be the default router → redirects all traffic through attacker (MITM) or creates DoS via conflicting gateway announcements

🛡️ RA Guard

RA Guard (RFC 6105): switch feature that blocks RA messages arriving on access ports (untrusted) — only uplink ports can receive RAs
Equivalent to DHCP Snooping but for IPv6 Router Advertisements
Combine with DHCPv6 snooping for full IPv6 MITM prevention

💡 RA attacks are the IPv6 equivalent of ARP poisoning + rogue DHCP combined. RA Guard = DHCP Snooping for IPv6. Both protect against rogue first-hop router attacks.

🛠️

Layer 2/3 Auditing and Benchmark Tools

Tools for assessing and validating network security posture

Medium Frequency ▾

Wireshark: Packet capture and protocol analysis — identify ARP anomalies, duplicate MAC/IP mappings, cleartext protocol use, rogue DHCP servers
Nmap: Network scanner — discover hosts, open ports, and OS fingerprinting. Use for asset inventory and attack surface discovery
arp-scan / arpwatch: Monitor ARP activity — detect new MAC-IP mappings, MAC address changes (indicator of ARP poisoning or MAC spoofing)
netdiscover: Active/passive ARP reconnaissance tool — quickly map Layer 2 topology and identify hosts
CIS Benchmarks: Vendor-specific hardening guides for Cisco, Juniper, and other network equipment. Reference standard for Layer 2/3 configuration auditing
RANCID/Oxidized: Network device configuration management — track configuration changes, detect unauthorized modifications, backup configs
Nipper: Automated network device configuration auditing tool — identifies insecure SNMP, weak authentication, unnecessary services
IPv6 assessment: THC-IPv6 toolkit, SI6 Networks' IPv6 toolkit — test for RA vulnerabilities, ND spoofing, tunneling misconfigurations

💡 For the exam: know what each tool reveals, not just its name. Arpwatch detects new/changed ARP mappings (indicator of poisoning). CIS Benchmarks are the hardening reference standard.

Domain 2 Study Checklist

Progress: 0 / 18 complete

✓

Concept

Explain ARP cache poisoning mechanism and the DAI mitigation dependency chain

ARP is stateless → gratuitous ARP accepted → DAI needs DHCP Snooping binding table to validate

✓

Exam Prep

Know both VLAN hopping methods and their specific prevention controls

Double-tagging: change native VLAN. DTP spoofing: switchport mode access + switchport nonegotiate

✓

Concept

Understand DHCP Snooping: trusted vs untrusted ports and the binding table

Trusted ports = uplinks/DHCP servers. Untrusted = access ports. Binding table used by DAI and IP Source Guard

✓

Exam Prep

Know the 802.1X three-component model: supplicant, authenticator, RADIUS server

Supplicant = client. Authenticator = switch/WAP. RADIUS = authentication server. EAP transports credentials

✓

Concept

Distinguish MAC spoofing vs MAC flooding — different mitigations

Spoofing = impersonate host (port security/802.1X). Flooding = CAM table overflow (port security max MAC count)

✓

Exam Prep

Know SNMPv3 features vs v1/v2c — authentication and encryption options

v3: auth (MD5/SHA) + encryption (DES/AES). v1/v2c: community strings in cleartext. Always upgrade to v3

✓

Concept

Understand NTP attacks: time manipulation → Kerberos failure; NTP amplification → DDoS

Kerberos has 5-minute clock skew tolerance. NTP monlist amplification; disable monlist, use NTPv4 with auth

✓

Concept

Define bogon filtering and RFC 1918 private ranges

10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 127.0.0.0/8, 169.254.0.0/16. Ingress filter at perimeter

✓

Exam Prep

Know CDP risks and why it should be disabled on access ports

CDP advertises device model, IOS version, IP, capabilities — reconnaissance gold mine. Disable on all access ports

✓

Concept

Understand IPv6 dual-stack security gap — IPv4 controls don't cover IPv6 traffic

Most firewalls/IDS have IPv4 rules but no IPv6 rules. Attackers use IPv6 to bypass IPv4 security

✓

Exam Prep

Know IPv6 Router Advertisement attacks and RA Guard mitigation

Forged RA → rogue default gateway → MITM. RA Guard blocks RA messages on untrusted (access) ports

✓

Concept

Understand IPv6 tunneling protocols (6to4, Teredo, ISATAP) and bypass risks

Encapsulate IPv6 in IPv4 → bypass IPv4-only controls. Block proto 41 and UDP 3544 at perimeter

✓

Practice

Lab: Configure DHCP Snooping, DAI, and Port Security on a test switch

See the dependency chain in action — configure snooping first, then DAI, then verify binding table

✓

Practice

Lab: Configure 802.1X on a test switch port using a RADIUS server

Test both EAP-TLS (cert-based) and EAP-PEAP (password) authentication; observe guest VLAN assignment

✓

Concept

Know the difference between NAC posture assessment and 802.1X authentication

802.1X = is this device/user authorized? NAC posture = is this device healthy (patched, AV current)?

✓

Exam Prep

Know EAP variants: EAP-TLS (strongest), EAP-PEAP, EAP-TTLS — and their relative strength

EAP-TLS = mutual certificate authentication (strongest). PEAP = password in TLS tunnel. TTLS = similar to PEAP

✓

Practice

Use Wireshark to capture and analyze ARP traffic on a lab network

Identify gratuitous ARP, duplicate IP mappings, and ARP request/response patterns

✓

Exam Prep

Review CIS Benchmarks for a Cisco IOS device — identify Layer 2/3 hardening items

Focus on: disable CDP, enable DHCP snooping, port security, SNMPv3, NTP authentication, unused port shutdown

Quick Reference

Attack-to-mitigation mappings — study these cold.

Layer 2 Attack → Mitigation Matrix

Attack	Mechanism	Mitigation
ARP Poisoning	Forged gratuitous ARP	Dynamic ARP Inspection (DAI)
MAC Flooding	CAM table overflow	Port Security (max MACs)
MAC Spoofing	Impersonate host MAC	802.1X, Port Security
DHCP Starvation	Exhaust IP pool	DHCP Snooping (untrusted ports)
Rogue DHCP	Fake DHCP server	DHCP Snooping (trusted ports)
VLAN Hopping (DTP)	Trunk negotiation	switchport nonegotiate
VLAN Hopping (tag)	Double-tag native VLAN	Change native VLAN, tag all
CDP Recon	Device info broadcast	Disable CDP on access ports

SNMP Version Comparison

Feature	v1/v2c	v3
Authentication	Community string (cleartext)	MD5 or SHA
Encryption	None	DES or AES
Access control	Community string only	User-based (USM)
GDSA recommendation	❌ Avoid / restrict to Mgmt VLAN	✅ Required

802.1X EAP Methods Comparison

Method	Auth Mechanism	Strength
EAP-TLS	Mutual certificates	⭐⭐⭐ Highest
EAP-PEAP	Password in TLS tunnel	⭐⭐ Medium
EAP-TTLS	Various in TLS tunnel	⭐⭐ Medium
EAP-MD5	Password hash (no TLS)	⭐ Weak — avoid
MAB	MAC address only	⭐ Weakest — last resort

IPv6 Security Reference

Threat	IPv4 Equivalent	Mitigation
ND Spoofing	ARP Poisoning	ND Inspection / SEND
RA Attack	Rogue DHCP	RA Guard (RFC 6105)
DHCPv6 Rogue	DHCP Starvation	DHCPv6 Snooping
Tunneling bypass	N/A	Block proto 41, UDP 3544
Dual-stack gap	N/A	Apply matching IPv6 ACLs

Cisco Switch Hardening Commands

! DHCP Snooping
ip dhcp snooping
ip dhcp snooping vlan 10,20
! Set uplink as trusted
interface Gi0/1
 ip dhcp snooping trust

! DAI (requires DHCP snooping)
ip arp inspection vlan 10,20

! Port Security
switchport port-security max 3
switchport port-security violation shutdown

! Disable DTP on access ports
switchport mode access
switchport nonegotiate

! Disable CDP on access port
no cdp enable

RFC 1918 Private Ranges (Bogons)

Range	Size	Class equiv.
10.0.0.0/8	16.7M hosts	Class A
172.16.0.0/12	1M hosts	Class B
192.168.0.0/16	65K hosts	Class C
127.0.0.0/8	Loopback	Never route
169.254.0.0/16	Link-local/APIPA	Never route
0.0.0.0/8	This network	Never route

Domain 2 Practice Quiz

6 scenario-based questions on network layer attacks and defenses.

Domain 2 Study Plan

Days 1–3 · Layer 2 Attacks Deep Dive

Study each Layer 2 attack mechanism with Wireshark packet captures where possible
Lab: Set up DHCP Snooping, then configure DAI — observe the binding table dependency
Lab: Test VLAN hopping using a double-tagging attack in a safe lab environment
Memorize the attack → mitigation table from the Reference tab

Days 4–5 · 802.1X and NAC

Configure 802.1X on a test switch with a FreeRADIUS server — test EAP-TLS and EAP-PEAP
Understand the difference between machine auth, user auth, and MAB — when to use each
Study NAC posture assessment and remediation VLAN concepts

Days 6–7 · Layer 3 and IPv6

Review SNMPv3 configuration — understand USM (User-based Security Model) and VACM
Study IPv6 addressing thoroughly — practice subnetting /64 and /48 prefixes
Configure RA Guard on a test switch; verify it blocks RA on access ports
Test blocking IPv6 tunneling protocols (proto 41, UDP 3544) in a firewall rule set

Days 8–9 · Hardening and Exam Practice

Review CIS Benchmarks for Cisco IOS — complete the Layer 2/3 hardening checklist
Practice 40+ questions on Layer 2 attack/mitigation pairs
Build a personal "attack → mechanism → mitigation → Cisco command" reference sheet

Common GDSA Exam Mistakes — Domain 2

Forgetting that DAI requires DHCP Snooping to be enabled first

The most common dependency mistake

▾

What Goes Wrong

Candidates recommend "enable DAI to prevent ARP poisoning" without knowing that DAI requires a DHCP Snooping binding table to function. Without DHCP Snooping, DAI has no trusted MAC-IP mappings to validate ARP against and will drop all dynamic ARP.

The Fix

Enable DHCP Snooping first → this builds the binding table of legitimate MAC-IP pairs → then enable DAI → DAI validates ARP packets against the binding table. Order: Snooping → DAI → (optionally) IP Source Guard.

🛡️ Dependency order: DHCP Snooping → Dynamic ARP Inspection → IP Source Guard. Never enable DAI without Snooping first.

Thinking VLANs provide full segmentation security

VLANs don't stop intra-VLAN attacks

▾

What Goes Wrong

Candidates say "we put Finance in VLAN 10 and HR in VLAN 20 so they're isolated." But all Finance hosts in VLAN 10 can still attack each other freely. ARP poisoning, MAC flooding, and lateral movement all work within a VLAN.

The Fix

VLANs prevent inter-VLAN attacks (without routing). Intra-VLAN attacks require: Port Security, DHCP Snooping + DAI, Private VLANs (PVLAN), or micro-segmentation to prevent lateral movement between hosts in the same VLAN.

🛡️ VLANs = inter-VLAN separation. Port Security + DHCP Snooping + DAI = intra-VLAN protection.

Overlooking IPv6 as an attack vector when IPv4 is the focus

Dual-stack creates an undefended IPv6 path

▾

What Goes Wrong

An organization deploys strict IPv4 firewalls and IDS rules but ignores that all Windows/Linux/Mac hosts have IPv6 enabled by default. Attackers use IPv6 tunneling (Teredo) or native IPv6 link-local connections to bypass IPv4 controls entirely.

The Fix

Either (1) deploy full IPv6 security controls equivalent to IPv4 (RA Guard, IPv6 ACLs, IPv6 IDS signatures), or (2) disable IPv6 at the OS level via Group Policy on Windows and sysctl on Linux where IPv6 is not needed.

🛡️ If you don't use IPv6, disable it. If you do, apply identical security controls to IPv6 as IPv4. There's no safe middle ground.

Using SNMP v1/v2c without access restrictions

Cleartext community strings visible to any sniffer

▾

What Goes Wrong

Leaving SNMP v1/v2c enabled with default "public" community string or even a custom string. Any attacker who can sniff traffic on the management network captures the community string and can enumerate (or even modify, if write community is set) all network devices.

The Fix

(1) Upgrade to SNMPv3 with authPriv security level (authentication + encryption). (2) If v1/v2c is unavoidable, restrict access via SNMP ACL to management VLAN IPs only. (3) Never configure SNMP write access unless absolutely required.

🛡️ SNMPv3 authPriv is the only acceptable SNMP configuration. v1/v2c = plaintext credentials.

Confusing 802.1X authentication with NAC posture assessment

Authentication ≠ health check

▾

What Goes Wrong

Candidates say "802.1X ensures only healthy devices connect." 802.1X authenticates identity (is this device/user authorized?) but does NOT check device health. A fully authenticated device with an unpatched OS and no AV still gets access.

The Fix

802.1X = authentication (identity verification). NAC = posture assessment (device health: patch status, AV, OS version). Use them together: 802.1X grants initial admission; NAC then checks device health and can quarantine non-compliant devices to a remediation VLAN.

🛡️ 802.1X answers "who are you?" NAC answers "are you healthy?" Both are needed for complete access control.

Frequently Asked Questions

What is IP Source Guard and how does it relate to DHCP Snooping?

IP Source Guard is a switch feature that validates source IP addresses against the DHCP Snooping binding table. It prevents IP address spoofing at the access layer by dropping packets from a port that don't match the expected MAC-IP binding. Like DAI, it requires DHCP Snooping to be enabled first to build the binding table. IP Source Guard protects against IP spoofing; DAI protects against ARP poisoning — both use the same binding table.

What is a Private VLAN (PVLAN) and when is it used?

Private VLANs add isolation within a single VLAN. In a PVLAN, isolated ports can only communicate with the promiscuous port (the gateway/uplink) — not with other isolated ports in the same VLAN. This is used in hosting environments where multiple tenants share infrastructure but must be isolated from each other. It prevents intra-VLAN lateral movement without requiring a separate VLAN per host.

Why is disabling CDP important for security?

CDP (Cisco Discovery Protocol) broadcasts device details — model number, IOS version, IP addresses, capabilities, and port information — to all directly connected devices every 60 seconds. An attacker on an access port receives this broadcast and gains detailed enumeration data about network infrastructure with no effort. Disable CDP on all user-facing access ports; only enable it on trunk links between network devices where it's needed for legitimate network management.

How does VLAN hopping via double-tagging work and why is it hard to detect?

Double-tag VLAN hopping exploits 802.1Q's handling of the native VLAN. An attacker on the native VLAN sends a frame with two VLAN tags: outer tag matches the native VLAN, inner tag is the target VLAN. The first switch strips the outer tag (it matches the native VLAN) and forwards the frame with only the inner tag toward the target VLAN — the attacker's frame appears to originate from the target VLAN. Prevention: change the native VLAN to an unused VLAN that no hosts or attackers are on, and explicitly tag all traffic on trunk links.

What is SLAAC in IPv6 and why does it create security concerns?

SLAAC (Stateless Address Autoconfiguration) allows IPv6 hosts to automatically configure their own IP addresses based on Router Advertisement messages — no DHCPv6 server required. The security concern: there's no inherent authentication for RA messages, so an attacker can send forged RAs claiming to be the default router, causing all hosts to send their traffic through the attacker (man-in-the-middle). RA Guard mitigates this by blocking RA messages on untrusted access ports.

What is the difference between a Trunk port and an Access port on a switch?

An access port carries traffic for a single VLAN (untagged). A trunk port carries traffic for multiple VLANs simultaneously, using 802.1Q tags to identify which VLAN each frame belongs to. Trunk ports are used for uplinks between switches and for server connections that need access to multiple VLANs. Security: all user-facing access ports should be explicitly set to access mode (switchport mode access) to prevent DTP-based VLAN hopping attacks.

What is BGP route hijacking and how is it mitigated?

BGP route hijacking occurs when an autonomous system (AS) advertises IP prefixes it doesn't own, causing internet routers to direct traffic to the attacker's infrastructure instead of the legitimate destination. This has been used for large-scale traffic interception and cryptocurrency theft. Mitigations include RPKI (Resource Public Key Infrastructure) which cryptographically validates route origins, BGP route filtering with prefix lists, and IRR (Internet Routing Registry) filtering to only accept routes from legitimate sources.

GIAC GDSA — Network Layer Defense

What This Domain Covers

Layer 3 Defense

Layer 2 Defense

802.1X & NAC

IPv6 Security

🎯 GDSA Exam Approach for This Domain

Key Concepts Deep Dive

⚔️ Attacks

🛡️ Mitigations

⚔️ How It Works

🛡️ Mitigations

⚔️ Attack

🛡️ DHCP Snooping

⚔️ RA Attack Mechanism

🛡️ RA Guard

Domain 2 Study Checklist

Explain ARP cache poisoning mechanism and the DAI mitigation dependency chain

Know both VLAN hopping methods and their specific prevention controls

Understand DHCP Snooping: trusted vs untrusted ports and the binding table

Know the 802.1X three-component model: supplicant, authenticator, RADIUS server

Distinguish MAC spoofing vs MAC flooding — different mitigations

Know SNMPv3 features vs v1/v2c — authentication and encryption options

Understand NTP attacks: time manipulation → Kerberos failure; NTP amplification → DDoS

Define bogon filtering and RFC 1918 private ranges

Know CDP risks and why it should be disabled on access ports

Understand IPv6 dual-stack security gap — IPv4 controls don't cover IPv6 traffic

Know IPv6 Router Advertisement attacks and RA Guard mitigation

Understand IPv6 tunneling protocols (6to4, Teredo, ISATAP) and bypass risks

Lab: Configure DHCP Snooping, DAI, and Port Security on a test switch

Lab: Configure 802.1X on a test switch port using a RADIUS server

Know the difference between NAC posture assessment and 802.1X authentication

Know EAP variants: EAP-TLS (strongest), EAP-PEAP, EAP-TTLS — and their relative strength

Use Wireshark to capture and analyze ARP traffic on a lab network

Review CIS Benchmarks for a Cisco IOS device — identify Layer 2/3 hardening items

Quick Reference

Layer 2 Attack → Mitigation Matrix

SNMP Version Comparison

802.1X EAP Methods Comparison

IPv6 Security Reference

Cisco Switch Hardening Commands

RFC 1918 Private Ranges (Bogons)

Domain 2 Practice Quiz

Domain 2 Study Plan

Days 1–3 · Layer 2 Attacks Deep Dive

Days 4–5 · 802.1X and NAC

Days 6–7 · Layer 3 and IPv6

Days 8–9 · Hardening and Exam Practice

Common GDSA Exam Mistakes — Domain 2

Forgetting that DAI requires DHCP Snooping to be enabled first

What Goes Wrong

The Fix

Thinking VLANs provide full segmentation security

What Goes Wrong

The Fix

Overlooking IPv6 as an attack vector when IPv4 is the focus

What Goes Wrong

The Fix

Using SNMP v1/v2c without access restrictions

What Goes Wrong

The Fix

Confusing 802.1X authentication with NAC posture assessment

What Goes Wrong

The Fix

Frequently Asked Questions

Domain 2 Study Resources