First to know is Layer 2 Attacks means the attacker is already on the network, so the goal is to limit

the access to the attacker.

Here’s the basic topology we’ll be using :

a) MAC Spoofing/Flooding Attacks

First thing to do is against MAC Spoofing Attacks on the Switch :

What we’ll do here is on every Interface is to enter the following commands :

#interface g0/0

Switchport mode access

switchport port-security

switchport port-security maximum 3

switchport port-security violation restrict

Here what we did is enable the port-security that for example will limit the connexion to the port up
to 3 max, more and i twill be on restrict mode, meaning drops the connexions and send SNMP
message but keep the port Up (contrairement a shut down).

The Switchport port-security command saves against Mac Spoofing and Mac flooding.

Let’s try the MAC Flooding attack on Parrot using the macof command :
Here we can go on the switch and see if it shut down the G0/1 Port ( we changed for SHUTDOWN) :

b) CDP Attacks :

CDP is a Cisco protocol that sends CDP Neighbors packets to detect it’s environment.

LDAP is a open-source protocol that do the same thing.

The thing is with this CDP protocol an attacker can gain much information about the network bcz CDP
sends it’s version (switch) etc.

There’s a CDP Attack using the tool Yersinia.

The commad that we’ll use is :

#yersinia -G

Et on peut lancer une attaque CDP depuis l’interface Graphique.

c) DHCP Starving :

Premiere chose a faire est de créer un serveur DHCP sur AD.

Deuxieme chose a faire est de voir si on a eu une adresse IP sur la machine Client Windows 10.

Partons sur le Switch pour configurer la sécurité contre le DHCP Snooping :