Hi Michael,
Glad to hear you like it 
Security will depend on which access layer we are dealing with. For example, we could have a “switch block” with a distribution + access layer that is only used for end devices like computers / laptops. You probably don’t want to use any firewalls there…not because there are no risks but it will be very expensive.
You can configure your switches for some of the security risks on the access layer here:
- Port Security: against MAC spoofing / setting a limit to number of MAC addresses per port.
- DHCP Snooping: so nobody can spoof a DHCP server on the access layer
- IP Source Guard: so nobody can spoof an IP address.
- Dynamic ARP inspection: against ARP poisoning.
- Storm Control: against broadcast storms or excessive traffic.
- Access-lists: for simple filtering.
If you have a “switch block” for your server farm then it’s possible that you want some extra security (firewalls) on the access-layer.
Rene