I need confirmation on a question regarding layer 2 security. I've been doing research and I just need to know that I understand it correctly.
Basically, if you have a LAN with a few machines connected to a switch, and those machines are broadcasting LLDP or ARP or something like that, is it true that those broadcasted packets will never escape the LAN (sans faulty software in the switch or machines and things of that nature)?
I know this is a basic question, but I haven't been able to find a direct answer to it and am hoping someone could just give a really brief one. Thanks!
Well, for the most part you are right. Under proper configuration/normal operation all layer two traffic should not be able to "escape" the VLAN where it is generated.
There are some scenarios (VLAN hopping and DTP negotiation comes to my mind) were the traffic can leak to other VLANs without going first through a layer 3 device (a.k.a. router).
With "VLAN hopping" if the native VLAN ID of a trunk is the same as the VLAN ID assigned to the switch port where the host that is generating the traffic is located, then he or she can double 802.1q-tag it's traffic and then this traffic "appear" at the other end of a trunk on a VLAN different from where it originated.
This is the reason why a good operational procedure is to never use VLAN 1 for your access ports (by default the native VLAN of a trunk is 1). Another good operational procedure is to assign a unique native VLAN ID for trunks and then configure each an every trunk on your organization with this unique-trunk-only VLAN ID.
You may want to take a look at this article
Agreed, with a secure configuration and no software on the hosts relaying such traffic, broadcast traffic should be confined within a VLAN on a switched network.
Another good reference on layer 2 security issues and mitigation techniques:
SAFE Layer 2 Security In-Depth (Cisco White Paper)