This layer is concerned with processing frames.  We have the media access control (MAC) address, which is the “address” of the network interface card, and the logical link control (LLC) which is what sends the frames to their next location.  

Devices at this layer include:

Bridge – a device that amplifies signals and filters traffic between segments according to MAC address.

Note the term similarity between “segment” of a network and “segment” of the PDU layer 4 (Transport layer).  

Switch – enables ethernet transmissions with CSMA-CD and offers port blocking, port authentication, MAC filtering, and VLAN compatibility.  Some switches can operate at layer 3 and can filter IP addresses as well.

Attack to be aware of:

VLAN Hopping – an attack that allows an attacker to see traffic from other VLANs.  There are two types of attacks, switch spoofing and double tagging, both of which can be prevented by securely configuring your VLANs against such attacks according to organizational frameworks or manufacturer recommendations.  

Protocols at this layer include:

Address resolution protocol (ARP) is the protocol used between two devices on a LAN segment to resolve IP and MAC addresses.  

Multiprotocol label switching (MPLS) is a protocol that finds its destination router (called an MPLS edge node) by doing normal lookups, then applying a label (called label switch path) and transmitting via label switching routers (LSR).

Point-to-point protocol (PPP) is a layer 2 standard protocol for sending multiprotocol datagrams over point-to-point links such as switches/routers.  This layered protocol has three components:

  1. Encapsulation of multiprotocol datagrams
  2. Link control protocol (LCP) to establish, configure, and test the link.  It also negotiates settings, options, and the use of features.
  3. Network control protocols used to negotiate optional configuration settings for the network layer protocols. 

Common security measures at layer 2 include:

  • Limit MAC addresses on a port
  • 802.1x – device authentication
  • Patching updates
  • Intelligent network monitoring
  • Limit the amount of time a MAC address can be on a port
  • Set parameters to ignore unknown MAC addresses
  • Set port locking and notifications
  • Use a dedicated VLAN ID for all trunk ports
  • Disable unused ports
  • Disable auto-trunking on user-facing ports
  • Disable DTP
  • Filter untrusted sources