The purpose for configuring access-only switch ports
By default, access switch ports are in a dynamic-desirable mode. What this means is that it essentially listens to devices to connect to it, and then either becomes an access port or a trunk port depending on the messages it receives from the neighboring device or switch. If the switch port is intended to only allow end devices and not switches, I strongly advise configuring the port specifically as an access-only port. That way, if a switch is either intentionally or unintentionally connected to that port, it cannot build a trunk that transports multiple VLANs. Only one VLAN is allowed to be configured on an access port.
The one caveat is the ability to configure both a data and a voice VLAN. This scenario involves an IP phone connecting to the switch first, then the phone connecting to a PC. Typically voice VLANs are separate from data VLANs and the access mode allows for this.
In the example below, I configure two VLANs. VLAN 15 is our data VLAN and VLAN 25 is our voice VLAN. I then configure port 1/0/10 as an access-only port and configure the data and voice VLANs accordingly.
Why enabling BPDU guard will protect against unauthorized network devices
Bridge Protocol Data Units (BPDUs) are messages exchanged between switches that communicate and negotiate Spanning Tree Protocol (STP) settings. If the ports you are configuring should never have another switch attached to them, it's beneficial to enable BPDU guard. If a switch is connected to a port that is configured for BPDU guard, as soon as BPDUs are seen on the interface, the port is shut down and placed into an error-disable mode. Not only does this prevent unauthorized network devices from connecting, it also prevents the possibility of an STP loop, which can severely impact data transport for data communications. The example below shows how to enable BPDU guard on port 1/0/10.
NEXT PAGE: Restricting unauthorized devices
The most alarming takeaway from Cisco’s new Cybersecurity Readiness Index report is that even after decades of having the importance of cybersecurity driven home, cyber threats are still taken too lightly.
In today’s data-driven world, higher educational institution networks and their management must be modernized to address the needs of everyone across campus. Enterprises face similar challenges and also need to modernize their networks.
Fortinet announced updates to FortiOS and its security fabric. Interestingly, the company bucked the trend and did not lead with GenAI in this announcement.
