This layer is concerned with processing frames.  We have the media access control (MAC) address, which is the “address” of the network interface card, and the logical link control (LLC) which is what sends the frames to their next location.  

Devices at this layer include:

Bridge – a device that amplifies signals and filters traffic between segments according to MAC address.

Note the term similarity between “segment” of a network and “segment” of the PDU layer 4 (Transport layer).  

Switch – enables ethernet transmissions with CSMA-CD and offers port blocking, port authentication, MAC filtering, and VLAN compatibility.  Some switches can operate at layer 3 and can filter IP addresses as well.

Virtual Local Area Networks (VLANs)

VLANs allow network administrators to create virtual LAN segments using switches, organizing or isolating traffic across multiple ports. Devices within the same VLAN communicate as if they are on a single network, improving performance and reducing delays.

Since VLANs function as separate networks, communication between them requires higher-layer services like routers or gateways. VLANs limit broadcast traffic, reducing congestion and minimizing certain network attacks. They also simplify management, allowing easy reconfiguration when users move or need different access. However, VLANs alone don’t guarantee security. While they restrict communication to designated devices, attacks like VLAN hopping can still expose traffic between VLANs. VLANs enhance security but should be used alongside other protective measures.

Attack to be aware of:

VLAN Hopping – an attack that allows an attacker to see traffic from other VLANs.  There are two types of attacks, switch spoofing and double tagging, both of which can be prevented by securely configuring your VLANs against such attacks according to organizational frameworks or manufacturer recommendations.  

Protocols at this layer include:

Address resolution protocol (ARP) is the protocol used between two devices on a LAN segment to resolve IP and MAC addresses.  

ARP Poisoning (Spoofing)
ARP poisoning injects fake ARP messages into a network, tricking devices into updating their ARP cache incorrectly. This allows an attacker to redirect traffic to a chosen device, making it a key method in Man-in-the-Middle (MITM) attacks.

Fibre Channel
Fibre Channel is a high-speed networking technology designed for large-scale data storage. It supports speeds up to 64Gbps over optical or electrical connections, with future plans for 128Gbps and 256Gbps. Unlike the OSI model, Fibre Channel has a simpler five-layer structure for data transmission.

Not all networks follow the OSI model, so security professionals should understand alternative architectures like Fibre Channel. More details can be found at the Fibre Channel Industry Association. Note: “Fibre” is the correct spelling, not “Fiber.”

Fiber channel over ethernet (FCOE) has the following benefits in some implementations:

-It can provide a single Layer 2 environment to manage.

-It encapsulates the fiber channel protocols and doesn’t have the same overhead of packet delivery guarantees that Layer 4 does in the OSI model.

-Also, when implemented correctly, FCoE can mimic the lightweight nature of native fiber channel protocols and media, within the performance limitations of the Ethernet environment.

Multiprotocol label switching (MPLS) is a protocol that finds its destination router (called an MPLS edge node) by doing normal lookups, then applying a label (called label switch path) and transmitting via label switching routers (LSR).

Point-to-point protocol (PPP) is a layer 2 standard protocol for sending multiprotocol datagrams over point-to-point links such as switches/routers.  This layered protocol has three components:

  1. Encapsulation of multiprotocol datagrams
  2. Link control protocol (LCP) to establish, configure, and test the link.  It also negotiates settings, options, and the use of features.
  3. Network control protocols used to negotiate optional configuration settings for the network layer protocols. 

Load Management

Networks need a way to control when devices send data to avoid interference from multiple devices transmitting at the same time. If not managed, these collisions can disrupt communication. There are two main methods to handle this: polling protocols, where a central system decides who can send data, and contention-based protocols, where devices compete for the chance to transmit.

Although these protocols are categorized as Layer 2 in the OSI model, they are often built into hardware or firmware that also handles Layer 1 tasks. The OSI model doesn’t strictly separate these layers but instead defines the functions and data formats needed for smooth communication.

Common security measures at layer 2 include:

  • Limit MAC addresses on a port
  • 802.1x – device authentication
  • Patching updates
  • Intelligent network monitoring
  • Limit the amount of time a MAC address can be on a port
  • Set parameters to ignore unknown MAC addresses
  • Set port locking and notifications
  • Use a dedicated VLAN ID for all trunk ports
  • Disable unused ports
  • Disable auto-trunking on user-facing ports
  • Disable DTP
  • Filter untrusted sources

Point to point over ethernet (PPPOE) allows layer 2 networks to create a virtual point to point connection.  It’s used for DSL, and has a four step handshake, that allows clients to connect to a PPPOE server for an IP address, which is then released when the connection is terminated.  The internet service provider can then reuse the IP address.

Arbitration refers to the decision making process of a network for who gets to transmit, and deconfliction simply means the process of preventing conflicts between two stations – these two terms are here mostly for informational purposes.  

There are two protocols to address this problem, we have polling protocols, and contention based protocols.  

With polling, only 1 station at a time is allowed to transmit, and it’s given a specific amount of time on the network after a poll is conducted by a controller.  For more detailed information about it, go here: https://www.geeksforgeeks.org/controlled-access-protocols-in-computer-network/

As more nodes are added to the network, bandwidth degrades in a predictable manner.  

Issues to consider are the dependency on the controller, and high overhead of polling messages.

Layer 2 Threats and Countermeasures

Common Layer 2 Threats:

  • MAC spoofing/cloning – Imitating a device’s MAC address to redirect traffic.
  • MAC flooding – Overloading a switch with fake MAC addresses to cause failure.
  • VLAN hopping – Exploiting VLAN tagging to access restricted networks.
  • Broadcast storms – Flooding the network with traffic to overwhelm it.
  • MAC sniffing – Capturing data from passing frames for reconnaissance.

These attacks can disrupt networks, enable unauthorized access, or set up Man-in-the-Middle (MITM) attacks to intercept communication. Successful Layer 2 attacks may also help attackers gain deeper control over the network.

Counter Measures:

  • Configure network interfaces (NICs) securely.
  • Monitor critical services like ARP and DHCP for anomalies.
  • Properly set up VLANs to prevent unauthorized access.
  • Secure switch ports to block rogue connections.
  • Use Layer 2 intrusion detection/prevention systems to identify threats.

Attention to these details helps protect networks from Layer 2 attacks.