Layer-2 Security
Layer-2 security features constrain who can use a switchport and how much damage a bad edge can cause. netverdict models the common training and review behaviours: port security, DHCP snooping, Dynamic ARP Inspection, IP Source Guard, 802.1X/MAB, UDLD, BPDU guard, root guard, DTP-effective trunking, and storm protection.
Support level
Section titled “Support level”| Area | Level | Notes |
|---|---|---|
| Port security | Supported | Static/sticky MACs, maximum MACs, violation modes. |
| DHCP snooping | Behaviour model | Trusted ports and binding table from DHCP ACKs. |
| Dynamic ARP Inspection | Supported | ARP packets on untrusted ports are checked against snooping bindings. |
| IP Source Guard | Supported | IP traffic on guarded ports must match binding state. |
| 802.1X / MAB | Behaviour model | Port authorization state from configured identity outcomes. |
| UDLD | Behaviour model | Unidirectional link detection and reset surface. |
| DTP effective mode | Behaviour model | Dynamic desirable/auto ports can resolve to trunk mode for runtime forwarding. |
| BPDU/storm protection | Behaviour model | Blocks or error-disables ports according to config. |
Standards coverage
Section titled “Standards coverage”| Standard | Coverage | Notes |
|---|---|---|
| IEEE 802.1X | Behaviour model | Port authorization concepts. |
| DHCP snooping / port security | Vendor feature | Cisco-style semantics for supported commands. |
| UDLD | Vendor feature | Cisco-style unidirectional link handling. |
Feature matrix
Section titled “Feature matrix”| Feature | Status | Notes |
|---|---|---|
| Secure MAC maximum | Supported | Violation when limit is exceeded. |
| Static secure MAC | Supported | Known MAC allowed on the port. |
| Sticky MAC | Supported | Learns allowed MACs deterministically. |
| Violation protect/restrict/shutdown | Supported | Mode changes forwarding and state outcome. |
| DHCP snooping trust | Supported | Server replies allowed only on trusted ports. |
| Snooping binding table | Supported | Learns client/IP/MAC/port from modelled DHCP. |
| DAI validation | Supported | Spoofed ARP from an untrusted port is dropped when it does not match a binding. |
| Pinned DAI binding | Supported | A spoofer cannot steal another port’s pinned DHCP-snooping binding. |
| IP Source Guard | Supported | Drops packets with no matching port/IP/MAC binding. |
| 802.1X auth state | Supported | Authorized/guest/failure paths. |
| 802.1X guest/fail VLAN | Supported | Auth failure and guest paths can move the effective access VLAN. |
| DTP runtime-effective trunk | Supported | A dynamically negotiated trunk forwards VLAN-tagged frames as trunk traffic. |
| UDLD aggressive | Partial | Outcome modelled; packet detail simplified. |
| Root guard | Supported | Superior BPDU moves the port to root-inconsistent; clear restores forwarding. |
| Storm control | Supported | Broadcast threshold violation can drop or errdisable depending on action. |
Vendor command matrix
Section titled “Vendor command matrix”| Command | IOS-style | Junos-style | VyOS-style | Notes |
|---|---|---|---|---|
switchport port-security | Supported | n/a | Partial | Enables port security. |
switchport port-security maximum 2 | Supported | n/a | Partial | MAC limit. |
ip dhcp snooping vlan 10 | Supported | n/a | Partial | Snooping domain. |
ip dhcp snooping trust | Supported | n/a | Partial | Trusted uplink. |
ip arp inspection vlan 10 | Supported | n/a | n/a | DAI domain. |
ip verify source | Supported | n/a | n/a | IP Source Guard. |
authentication port-control auto | Supported | n/a | Partial | 802.1X. |
switchport mode dynamic desirable | Supported | n/a | n/a | DTP can resolve runtime trunking. |
udld port aggressive | Supported | n/a | Partial | UDLD. |
spanning-tree guard root | Supported | Partial | Partial | Root guard. |
storm-control broadcast level 1.00 | Supported | Partial | Partial | Broadcast storm threshold. |
show port-security interface | Supported | n/a | Partial | Security state. |
show ip dhcp snooping binding | Supported | n/a | Partial | Bindings. |
Behaviour notes
Section titled “Behaviour notes”The model is designed to make failure reasons inspectable. A blocked DHCP ACK, a failed DAI lookup, an IP Source Guard drop, a port-security violation, or a failed 802.1X authorization is represented as a state change rather than hidden inside packet noise.
DTP affects the effective runtime switchport mode. A configured dynamic port can
forward as a trunk once negotiation resolves that way, even if the configured
mode is not literally trunk.
Examples
Section titled “Examples”Canonical example
configure terminalip dhcp snoopingip dhcp snooping vlan 10interface GigabitEthernet0/1 switchport port-security switchport port-security maximum 1 ip verify source authentication port-control autointerface GigabitEthernet0/24 ip dhcp snooping trustendshow port-security interface GigabitEthernet0/1show ip dhcp snooping bindingVendor styles
IOS-style
ip dhcp snoopingip dhcp snooping vlan 10interface GigabitEthernet0/1 switchport port-security switchport port-security maximum 1 ip verify source authentication port-control autoJunos-style
set ethernet-switching-options secure-access-port interface ge-0/0/1.0 mac-limit 1set access radius-server 192.0.2.20 secret labset protocols dot1x authenticator interface ge-0/0/1.0VyOS-style
set service dhcp-server global-parameters 'authoritative;'set interfaces ethernet eth1 switch-port port-security maximum 1Known limits
Section titled “Known limits”Full RADIUS packet exchange, downloadable ACLs, DHCP option edge cases, device-sensor profiling, DTP packet byte fidelity, and vendor error-disable recovery timers are not modelled in depth.