08-26-2013 11:59 AM - edited 03-10-2019 12:05 AM
We are currently using 3560 switches in our branches. We are in the process of implementing port-security on all these switches. In our testing we have been using sticky. The issue has come up with our remote users that travel from branch to branch with their laptops. They usually unplug the PC in an office from the IP phone and hook up there laptop. How can we allow that to happen without causing a violation on the interface? I am looking into MAC ACL but not sure it will work with sticky. I am fine changing to dynamic if it will work that way.
08-28-2013 08:45 AM
Port security isn't that great for mobile workers; although you could write in manually a certain amount of mac addresses it becomes difficult to manage and would be better to do this centrally.
It might be worth looking at dot1x instead of (or as well as) port security depending on your setup and requirements.
This page is pretty useful if you're interested.
Hope this helps a little.
08-28-2013 11:04 PM
802.1x is probably the best solution if possible to implement. Port-Security can also work if you lower the security slightly. You could allow one more MAC-address on the Data-vlan and additionally configure a timeout on the learned entries instead of using sticky.
Sent from Cisco Technical Support iPad App
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide