One of the easiest ways to secure a network is to make sure you have some simple security features enabled on switch ports to which your end users connect. Properly securing switch access ports is fairly straightforward, but some techniques are often overlooked. In this guide, I'll discuss a few ways to protect your network by restricting access to users and devices you want connected to your access switches. Most enterprise-class switches have identical or similar port security features. So while the examples in this guide uses a Cisco switch, switches from other vendors can be configured in a similar manner.
One general bit of advice regarding the configuration of switch ports and VLANs on a production network: The default VLAN 1 should not be used for data transport. There are several reasons for this, but the primary reason is that VLAN 1 was meant to transport switch management communications between devices such as CDP, PAgP and VTP. I recommend this communication be separated from any user data running across the switch.
In this guide, I'll describe four different access-port configuration options to show how they provide added security benefits, and explain how to configure them. While these configurations don’t guarantee that your network will be completely safe from malicious or unauthorized behavior at the access-layer, they certainly help close some common security gaps. The concepts I'll cover are:
- The purpose for configuring access-only switch ports
- Why enabling BPDU guard will protect against unauthorized network devices
- How port security can restrict unauthorized end devices
- How to handle unused switch ports
Let’s get started.
NEXT PAGE: Access-only switch ports