| Review the switch configuration to verify each access port is configured for a single registered MAC address. |
Configuring port-security on the Cisco switch access port interface will automatically set the maximum number of registered MAC addresses to one. The value will not show up in the configuration of the switch itself. To validate the access port has a maximum value of one for allowable MAC addresses, you must run the following command:
Switch# show port-security interface
Show Command Example:
Switch# port int fa0/1
Port Security :Enabled
Port Status :Secure-down
Violation Mode :Shutdown
Aging Time :0 mins
Aging Type :Absolute
SecureStatic Address Aging :Disabled
Maximum MAC Addresses :1
Some technologies are exempt from requiring a single MAC address per access port; however, restrictions still apply. VoIP or VTC endpoints may provide a PC port so a PC can be connected. Each of the devices will need to be statically assigned to each access port.
Another green initiative where a single LAN drop is shared among several devices is called "hot-desking", which is related to conservation of office space and teleworking. Hot-desking is where several people are assigned to work at the same desk at different times, each user with their own PC. In this case, a different MAC address needs to be permitted for each PC that is connecting to the LAN drop in the workspace. Additionally, this workspace could contain a single phone (and possibly desktop VTC endpoint) used by all assignees and the PC port on it might be the connection for their laptop. In this case, it is best not to use sticky port security, but to use a static mapping of authorized devices or implement 802.1x. If this is not a teleworking remote location, this exemption does not apply.