This layer is concerned with processing frames. We have the media access control (MAC) address, which is the “address” of the network interface card, and the logical link control (LLC) which is what sends the frames to their next location.
Devices at this layer include:
Bridge – a device that amplifies signals and filters traffic between segments according to MAC address.
Note the term similarity between “segment” of a network and “segment” of the PDU layer 4 (Transport layer).
Switch – enables ethernet transmissions with CSMA-CD and offers port blocking, port authentication, MAC filtering, and VLAN compatibility. Some switches can operate at layer 3 and can filter IP addresses as well.
Attack to be aware of:
VLAN Hopping – an attack that allows an attacker to see traffic from other VLANs. There are two types of attacks, switch spoofing and double tagging, both of which can be prevented by securely configuring your VLANs against such attacks according to organizational frameworks or manufacturer recommendations.
Protocols at this layer include:
Address resolution protocol (ARP) is the protocol used between two devices on a LAN segment to resolve IP and MAC addresses.
Multiprotocol label switching (MPLS) is a protocol that finds its destination router (called an MPLS edge node) by doing normal lookups, then applying a label (called label switch path) and transmitting via label switching routers (LSR).
Point-to-point protocol (PPP) is a layer 2 standard protocol for sending multiprotocol datagrams over point-to-point links such as switches/routers. This layered protocol has three components:
- Encapsulation of multiprotocol datagrams
- Link control protocol (LCP) to establish, configure, and test the link. It also negotiates settings, options, and the use of features.
- Network control protocols used to negotiate optional configuration settings for the network layer protocols.
Common security measures at layer 2 include:
- Limit MAC addresses on a port
- 802.1x – device authentication
- Patching updates
- Intelligent network monitoring
- Limit the amount of time a MAC address can be on a port
- Set parameters to ignore unknown MAC addresses
- Set port locking and notifications
- Use a dedicated VLAN ID for all trunk ports
- Disable unused ports
- Disable auto-trunking on user-facing ports
- Disable DTP
- Filter untrusted sources
Fiber channel over ethernet (FCOE) has the following benefits in some implementations:
-It can provide a single Layer 2 environment to manage.
-It encapsulates the fiber channel protocols and doesn’t have the same overhead of packet delivery guarantees that Layer 4 does in the OSI model.
-Also, when implemented correctly, FCoE can mimic the lightweight nature of native fiber channel protocols and media, within the performance limitations of the Ethernet environment.
Point to point over ethernet (PPPOE) allows layer 2 networks to create a virtual point to point connection. It’s used for DSL, and has a four step handshake, that allows clients to connect to a PPPOE server for an IP address, which is then released when the connection is terminated. The internet service provider can then reuse the IP address.
Arbitration refers to the decision making process of a network for who gets to transmit, and deconfliction simply means the process of preventing conflicts between two stations – these two terms are here mostly for informational purposes.
There are two protocols to address this problem, we have polling protocols, and contention based protocols.
With polling, only 1 station at a time is allowed to transmit, and it’s given a specific amount of time on the network after a poll is conducted by a controller. For more detailed information about it, go here: https://www.geeksforgeeks.org/controlled-access-protocols-in-computer-network/
As more nodes are added to the network, bandwidth degrades in a predictable manner.
Issues to consider are the dependency on the controller, and high overhead of polling messages.