10.3
Policy Configuration
10.3.1 Policy in the access layer
The access layer is the entry point for users to access the network. Cable connections are generally pulled from an access layer switch to offices and cubicles within a company. For this reason, the network devices at the access layer are the most physically vulnerable. Anyone can plug a station into an access-layer switch. Several precautions should be taken at the access layer:
  • Port security - limit the Media Access Control (MAC) addresses that are allowed to use the switch to prevent unauthorized users from gaining access to the network.
  • VLAN management - The default virtual LAN (VLAN) of all ports is VLAN1. VLAN1 is traditionally the management VLAN, meaning that users entering the network on ports that were not configured would be in the management VLAN of the switch block. It is recommended that the management VLAN be moved to another VLAN to prevent users from entering the network within VLAN1 on an unconfigured port.

Port security is a feature of the Catalyst Switches that allows a switch to block input from a port when the MAC address of a station attempting to access the port is different from the configured MAC address. When a port receives a frame, the port compares the source address of the frame to the secure source address that was originally learned by the port. If the addresses do not match, the port is disabled and the LED for the port turns orange.

By default, a switch allows all MAC addresses to access the network. It relies on other types of security such as file-server operating systems and applications to provide for network security. Port security allows a network administrator to configure a set of MAC addresses to provide additional security. If port security is enabled, only the MAC addresses that are explicitly allowed can use the port. A MAC address can be allowed as follows:

  • Static assignment of the MAC address - The network administrator can code the MAC address when port security is assigned. This is the more secure of the two methods, but it is difficult to manage.
  • Dynamic learning of the MAC address - If the MAC address is not specified, the port turns on learning for security. The first MAC address seen on the port becomes the secure MAC address.

Use the following commands to enable and verify port security on a set command-based switch.

Switch> (enable) set port security mod_num/port_numenable mac address

Switch> (enable) show port mod_num/port_num

Use the following commands to enable and verify port security on a Cisco IOS command-based switch.

Switch(config-if)#port security [max-mac-count maximum-mac-count]

Switch#show mac-address-table security [type module/port]

The port secure max-mac-count command allows the network administrator to define the maximum number of MAC addresses that can be supported by this port. The maximum number can range from 1 to 132. The default value is 132. The example in the Figure to the left illustrates setting the maximum number of MAC addresses to a value of 1.

Further, on a Cisco IOS command-based switch, you can specify what action to take in the event of a security violation. For example, if you want the port to shut down in the event of a violation, issue the following command:

Switch(config-if)#port security action shutdown