Section 12.3: Access Layer Policy and Port Security
The access layer is the entry point for users to access the network. Cable connections are generally pulled from an access layer switch to offices and cubicles in a company. For this reason, the network devices of the access layer are physically the most vulnerable.
At the access layer you should use port security to limit the Media Access Control (MAC) addresses allowed to use the switch so as to prevent unauthorized users from gaining access to the network at all. Also, the default VLAN of all ports is VLAN1, which is also the default management VLAN. Users entering the network on ports that were not configured would be in this VLAN. Cisco recommends that the management VLAN be moved to another VLAN to prevent users from entering the network on VLAN1 on an unconfigured port.