Vlan Management; Creating A Standard Access List - Cisco RJ-45-to-AUX Brochure

After you enable port security on any switch port, any static or dynamic CAM entries associated with
the port are cleared, and any currently configured permanent CAM entries are treated as secure MAC
addresses.
Not all Cisco switches support port security. Check Cisco Connection Online (CCO) at
http://www.cisco.com/ to see if your hardware and IOS version support port security.
The default settings of a switch allow all MAC addresses to access all ports on the switch. If you enable port
security, immediately only those MAC addresses explicitly identified will be able to send data to the switch
ports. You can configure ports with a static MAC address assignment or a dynamic MAC address assignment.
Dynamic MAC address assignment allows the administrator to do basically nothing. Once port security is
enabled, the first interface to broadcast its MAC address on the port becomes the port's secure MAC address.
If another machine broadcasts a frame over the physical wire to the switch port with another MAC address,
the port will automatically go into a locked−down, disabled mode.
Static MAC address assignment requires the network administrator to physically assign a MAC address to a
port. This is the most secure way of creating the secure source address list, but it requires a lot of time and
effort to manage. For smaller networks, this might be a good solution; but in bigger networks, it is not easily
implemented.

VLAN Management

When you first provide the switch with an IOS, all the ports on the switch are assigned to VLAN1. In a typical
environment, VLAN1 is also kept as the management VLAN. As a result, if the ports were not configured or
were reset to their defaults, then anyone entering the network on VLAN1 would be in the management
VLAN. Cisco recommends that the management VLAN be moved to a VLAN other than the default VLAN1
to prevent this type of problem.

Creating a Standard Access List

Here is the command used when creating an IP standard access list:
access−list access list number {permit|deny} source {source−mask}
As an example of creating an access list, let's say you want to allow an advertising company to FTP
marketing material to your sales office. However, you do not want the whole world to have access to your
FTP server.
To create the access list, perform the following steps:
1. Because the access list will be read in order, you first need to permit the addresses that can access the
FTP server. FTP uses ports 20 and 21, so it should be configured like this:
HSNRSM(config)# access−list 100 permit tcp 192.5.5.0 0.0.0.255
any eq 20
HSNRSM(config)# access−list 100 permit tcp 192.5.5.0 0.0.0.255
any eq 21
2. The following commands will deny all the other traffic on ports 20 and 21:
Static MAC Assignment vs. Dynamic MAC Assignment
263