DHCP Snooping.
Happy (secure) switching.
| Threat | Mitigation | | :--- | :--- | | MAC Flooding | Port Security | | VLAN Hopping (DTP) | switchport mode access / nonegotiate | | Double Tagging | Non-default native VLAN | | Rogue DHCP | DHCP Snooping | Packet Tracer 14.9.11 is not just about passing a skills exam—it's about building an operator mindset . The best router ACL in the world is useless if an attacker can sit on your switch and sniff everything.
On the access ports connecting to end devices (Fa0/1, Fa0/2, etc.), you need to lock down the MAC addresses. 14.9.11 packet tracer - layer 2 vlan security
On any port that should not be a trunk (i.e., all end-user ports), explicitly turn off trunking:
That’s where comes in. It’s the often-overlooked foundation of network defense.
Let’s break down what this lab teaches and why it matters in the real world. Imagine you are responsible for a corporate network. Users are in VLAN 10 (Employees) and VLAN 20 (Guests). The lab presents a simple topology: one multilayer switch (distribution), one layer 2 switch (access), and a few PCs. DHCP Snooping
Port Security.
interface g0/1 switchport mode trunk switchport nonegotiate If a port is for a user, it should be an access port, period. Don't let devices negotiate their way into privilege. Step 3: Changing the Native VLAN (Double Tagging Defense) The Threat: In a double-tagging attack, the attacker sends a frame with two 802.1Q tags. The first tag (native VLAN) is stripped off by the first switch. The second tag (say, VLAN 10) is then visible to the next switch, potentially letting the attacker hop into a restricted VLAN.
Instead of using VLAN 1 (the default native VLAN), change it to, for example, VLAN 999. The best router ACL in the world is
ip dhcp snooping ip dhcp snooping vlan 10,20 interface g0/1 ip dhcp snooping trust interface range fa0/1-24 ip dhcp snooping limit rate 10 no ip dhcp snooping trust Now, only the uplink port can send DHCP Offer/ACK messages. Any rogue server on an access port will be ignored.
Move the native VLAN to an unused, "dead-end" VLAN.
Cisco’s Packet Tracer activity is an excellent, hands-on lab that forces you to think like both a network admin and a hacker. It focuses on three critical Layer 2 vulnerabilities and their mitigations: MAC Flooding , VLAN Hopping (Switch Spoofing) , and DHCP Starvation .
Disable DTP and set trunking manually.
Sign Up for Updates
A new storymap connects the dots between extreme weather and climate change and illustrates the harm these disasters inflict on communities and wildlife.
Learn More
Take the Clean Earth Challenge and help make the planet a happier, healthier place.
Learn More
Get a list of highly impactful plants that are native to your area based on your zip code!
Check It OutMore than one-third of U.S. fish and wildlife species are at risk of extinction in the coming decades. We're on the ground in seven regions across the country, collaborating with 52 state and territory affiliates to reverse the crisis and ensure wildlife thrive.
Inspire a lifelong connection with wildlife and wild places through our children's publications, products, and activities
Learn More© 2026 — Inner Deck
