What control is likely recommended for restricting access to certain network segments using data-link layer security?

The recommended control for restricting access to certain network segments using data-link layer security is based on the use of MAC (Media Access Control) addresses. MAC addresses are unique identifiers assigned to network interfaces for communications on the physical network segment. By implementing MAC address filtering, network administrators can define which devices are allowed access to a specific network segment and which are not.

This control operates at the data-link layer (Layer 2) of the OSI model, where it can specifically allow or deny traffic based on the MAC address of devices attempting to connect. This approach is effective in scenarios where you want to limit access to physical network segments based on the device's MAC address, ensuring that only authorized devices can communicate on that part of the network.

Other options like ACL (Access Control List) usually operate at higher layers and are not focused solely on the data-link layer, making them less applicable in this specific context. BPDU (Bridge Protocol Data Unit) is related to maintaining loop-free topologies in networks and does not serve the purpose of access control in the same way. ARP (Address Resolution Protocol) is used for mapping IP addresses to MAC addresses but is not a control mechanism for restricting access. Therefore, using MAC addresses aligns perfectly with restricting access