14.9.11 Packet Tracer - Layer 2 Vlan Security ⇒

interface g0/1 switchport trunk native vlan 999 Then, ensure VLAN 999 exists but is used nowhere else. No user devices, no DHCP, no routing.

Let’s break down what this lab teaches and why it matters in the real world. Imagine you are responsible for a corporate network. Users are in VLAN 10 (Employees) and VLAN 20 (Guests). The lab presents a simple topology: one multilayer switch (distribution), one layer 2 switch (access), and a few PCs. 14.9.11 packet tracer - layer 2 vlan security

interface g0/1 switchport mode trunk switchport nonegotiate If a port is for a user, it should be an access port, period. Don't let devices negotiate their way into privilege. Step 3: Changing the Native VLAN (Double Tagging Defense) The Threat: In a double-tagging attack, the attacker sends a frame with two 802.1Q tags. The first tag (native VLAN) is stripped off by the first switch. The second tag (say, VLAN 10) is then visible to the next switch, potentially letting the attacker hop into a restricted VLAN. interface g0/1 switchport trunk native vlan 999 Then,

By default, switches are trusting. And trust, in security, is a vulnerability. Imagine you are responsible for a corporate network

Instead of using VLAN 1 (the default native VLAN), change it to, for example, VLAN 999.

Never use VLAN 1 for anything. Not for native VLAN, not for management, not for users. VLAN 1 is the universal key to many Layer 2 attacks. Step 4: DHCP Snooping – Stopping the Rogue Server The Threat: An attacker plugs in a laptop running a rogue DHCP server. When legitimate clients broadcast for an IP, the rogue server replies first, giving them a malicious gateway (the attacker) or a bogus DNS server (phishing).