Access Band Policy
The admission band is the admission point for users to admission the network. Cable admission are
generally pulled from an admission band about-face to offices and cubicles in a company. For this
reason, the arrangement accessories of the admission band are the best physically vulnerable. Anyone can
plug a base into an admission band switch.
You should booty a brace of precautions at the admission layer, including
• Anchorage security—Limit the Media Admission Ascendancy (MAC) addresses accustomed to use the
switch to anticipate crooked users from accepting admission to the arrangement at all.
• VLAN management—The absence VLAN of all ports is VLAN1. VLAN1 is traditionally
the administration VLAN. This agency that users entering the arrangement on ports that were not
configured would be in the administration VLAN of the about-face block. Cisco recommends
that the administration VLAN be confused to addition VLAN to anticipate users from entering
the arrangement on VLAN1 on an unconfigured port.
Example 12-7 Configuring HTTP Access
Router3(config)#access-list 1 admittance 192.168.10.7
Router3(config)#ip http server
Router3(config)#ip http access-class 1
Router3(config)#ip http affidavit local
Router3(config)#username apprentice countersign cisco
Access Band Action 407
Access Band Anchorage Security
Port aegis is a affection of the Cisco Catalyst switches that allows the about-face to block input
from a anchorage back the MAC abode of a base attempting to admission the anchorage is altered from
the configured MAC address. This bearings is referred to as a MAC abode lockdown.
When a anchorage receives a frame, the anchorage compares the antecedent abode of the anatomy to the secure
source abode that was originally abstruse by the port. If the addresses do not match, the anchorage is
disabled and the LED for the anchorage turns orange.
Port aegis cannot be activated to block ports area addresses may change frequently. Not all
hardware supports anchorage security. Check with your affidavit or Cisco Connection Online
(CCO) to see if your accouterments supports this feature.
Configuring Anchorage Aegis at the Admission Layer
By default, the about-face allows all MAC addresses to admission the network. For arrangement security
purposes, the about-face relies on mechanisms such as book server operating systems and applications.
Port aegis allows a arrangement ambassador to configure a set of accustomed accessories or MAC
addresses to accommodate added security. If anchorage aegis is enabled, alone the MAC addresses
that are absolutely accustomed can use the port. A MAC abode can be accustomed as follows:
• Static appointment of the MAC address—The arrangement ambassador can cipher the MAC
address back anchorage aegis is assigned. This adjustment is the added defended of the two options;
however, it is difficult to manage.
• Dynamic acquirements of the MAC address—If the MAC abode is not specified, the port
turns on acquirements for security. The aboriginal MAC abode apparent on the anchorage becomes the secure
MAC address.
Enabling and Verifying Anchorage Aegis Using the set CLI on set Command-Based Switches
Use the afterward commands to accredit and verify anchorage aegis on a set command-based
switch:
Switch (enable) set anchorage aegis mod_num/port_num…enable mac address
Switch (enable) appearance anchorage mod_num/port_num
For example, accede the bureaucracy in Figure 12-5.
408 Chapter 12: Controlling Admission in the Campus Environment
Figure 12-5 Enabling and Verifying Anchorage Security
Example 12-8 demonstrates how to accredit and again verify anchorage aegis for the set commandbased
switch in Figure 12-5.
Enabling and Verifying Anchorage Aegis on Cisco IOS Command-Based Switches
Use the afterward commands to accredit and verify anchorage aegis on Cisco IOS command-based
switches:
Switch(config-if)#port defended [max-mac-count maximum-MAC-count]
Switch#show mac-address-table aegis [type module/port]
The anchorage defended max-mac-count command allows the arrangement ambassador to ascertain the
maximum cardinal of MAC addresses that can be accurate by this port. The best number
can ambit from 1 to 132. The absence amount is 132.
Distribution Band Policy
Most of the admission ascendancy action will be implemented at the administration layer. This band is also
responsible for ensuring that abstracts stays in the about-face block unless that abstracts is specifically
permitted alfresco of the about-face block. This band is additionally amenable for sending the correct
routing and account advice to the core.
A acceptable action at the administration band ensures that the amount block or the WAN blocks are not
burdened with cartage that has not been absolutely permitted. A administration band action also
protects the amount and the added about-face blocks from accepting incorrect information, such as
incorrect routes, that may abuse the blow of the network.
Example 12-8 Enabling/Verifying Anchorage Aegis on a set Command-Based Switch
Switch (enable) set anchorage aegis accredit 4/1 02-60-8c-12-34-56
show anchorage 4/1
Port Aegis Defended Src-address Last Src-address Shutdown Trap IF-index
----- -------- ------------------ ----------------- --------- ---- --------
4/1 enabled 02-60-8c-12-34-56 02-60-8c-12-34-56 no 270
02-60-8c-12-34-56
4/1
Distribution Band Action 409
Access ascendancy at the administration band avalanche into three altered categories:
• Defining which user cartage makes it amid VLANs and appropriately ultimately to the core. This
control can be done in the anatomy of an admission account activated to an interface to admittance only
certain abstracts to canyon through.
• Defining which routes are apparent by the amount block and the about-face block. This ascendancy can
be done through the use of administration lists to anticipate routes from actuality advertised to the
core.
• Defining which casework the about-face block will acquaint out to the blow of the network.
Service ascendancy could additionally be acclimated to ascertain how the arrangement finds the server-aggregation
block in adjustment to get casework like Dynamic Host Ascendancy Protocol (DHCP) and Domain
Name System (DNS).