Wired Intelligent Edge

Hello,

I am looking to apply port security to ports on my 6300 switch to restrict the type of device that can be plugged in. We are having users disconnect a Teams conference room device and plugging in their laptop to do a presentation in a conference room. I know that we cannot physically stop them from doing this, but we want to apply port security to prevent them from access the network.

From my research and testing I can apply the following to the port to enable this.

Port-access port-security enable

We currently only have the port-security applied to the ports only. Through my testing I am running 'port-access port-security interface all client-status' and not seeing the switch learning the device MAC with the command being only applied to the port. In order for my test 6300 to learn the MAC of the device I have to apply the port-access command globally. Is this correct? How does applying port security globally effect the switch? Aruba documentation states the command can be applied globally or per port. Do I have to apply the 'sticky-learn' on the port in order for the port to learn the device MAC without running command globally.

Hello,

I am looking to apply port security to ports on my 6300 switch to restrict the type of device that can be plugged in. We are having users disconnect a Teams conference room device and plugging in their laptop to do a presentation in a conference room. I know that we cannot physically stop them from doing this, but we want to apply port security to prevent them from access the network.

From my research and testing I can apply the following to the port to enable this.

Port-access port-security enable

We currently only have the port-security applied to the ports only. Through my testing I am running 'port-access port-security interface all client-status' and not seeing the switch learning the device MAC with the command being only applied to the port. In order for my test 6300 to learn the MAC of the device I have to apply the port-access command globally. Is this correct? How does applying port security globally effect the switch? Aruba documentation states the command can be applied globally or per port. Do I have to apply the 'sticky-learn' on the port in order for the port to learn the device MAC without running command globally.

Hi, after testing, I can say that you need to first enable port access globally, then enable it per port to make the configuration work. When you enable even or, the setup may not function properly. I know what's in the documentation, but it seems you just need to enable the service on the system and then apply the configuration on the specific port.

Hello,

I am looking to apply port security to ports on my 6300 switch to restrict the type of device that can be plugged in. We are having users disconnect a Teams conference room device and plugging in their laptop to do a presentation in a conference room. I know that we cannot physically stop them from doing this, but we want to apply port security to prevent them from access the network.

From my research and testing I can apply the following to the port to enable this.

Port-access port-security enable

We currently only have the port-security applied to the ports only. Through my testing I am running 'port-access port-security interface all client-status' and not seeing the switch learning the device MAC with the command being only applied to the port. In order for my test 6300 to learn the MAC of the device I have to apply the port-access command globally. Is this correct? How does applying port security globally effect the switch? Aruba documentation states the command can be applied globally or per port. Do I have to apply the 'sticky-learn' on the port in order for the port to learn the device MAC without running command globally.

Hello,

I am looking to apply port security to ports on my 6300 switch to restrict the type of device that can be plugged in. We are having users disconnect a Teams conference room device and plugging in their laptop to do a presentation in a conference room. I know that we cannot physically stop them from doing this, but we want to apply port security to prevent them from access the network.

From my research and testing I can apply the following to the port to enable this.

Port-access port-security enable

We currently only have the port-security applied to the ports only. Through my testing I am running 'port-access port-security interface all client-status' and not seeing the switch learning the device MAC with the command being only applied to the port. In order for my test 6300 to learn the MAC of the device I have to apply the port-access command globally. Is this correct? How does applying port security globally effect the switch? Aruba documentation states the command can be applied globally or per port. Do I have to apply the 'sticky-learn' on the port in order for the port to learn the device MAC without running command globally.

So kind of an update on this. For some of the devices we are getting connectivity issues. We have determined that applying the mac statically to the port instead of using 'sticky-learn' fixed our issue. 

Can anyone tell me what the difference between 'sticky-learn' and applying the mac statically is? I am thinking that sticky is kind of the switch inquiring on the devices mac and then comparing the applied mac, compared to just already knowing the mac? Am I wrong?

Hello,

I am looking to apply port security to ports on my 6300 switch to restrict the type of device that can be plugged in. We are having users disconnect a Teams conference room device and plugging in their laptop to do a presentation in a conference room. I know that we cannot physically stop them from doing this, but we want to apply port security to prevent them from access the network.

From my research and testing I can apply the following to the port to enable this.

Port-access port-security enable

We currently only have the port-security applied to the ports only. Through my testing I am running 'port-access port-security interface all client-status' and not seeing the switch learning the device MAC with the command being only applied to the port. In order for my test 6300 to learn the MAC of the device I have to apply the port-access command globally. Is this correct? How does applying port security globally effect the switch? Aruba documentation states the command can be applied globally or per port. Do I have to apply the 'sticky-learn' on the port in order for the port to learn the device MAC without running command globally.

Are this silent devices that don't initiate traffic themself and are only listening? By default (at least with 802.1x/MAC auth but I think also with port-security) the outbound BUM traffic is blocked when no MAC is learned. You can change this behavior using the following config

interface x/y/z port-access allow-flood-traffic enable

So kind of an update on this. For some of the devices we are getting connectivity issues. We have determined that applying the mac statically to the port instead of using 'sticky-learn' fixed our issue. 

Can anyone tell me what the difference between 'sticky-learn' and applying the mac statically is? I am thinking that sticky is kind of the switch inquiring on the devices mac and then comparing the applied mac, compared to just already knowing the mac? Am I wrong?

Hello,

I am looking to apply port security to ports on my 6300 switch to restrict the type of device that can be plugged in. We are having users disconnect a Teams conference room device and plugging in their laptop to do a presentation in a conference room. I know that we cannot physically stop them from doing this, but we want to apply port security to prevent them from access the network.

From my research and testing I can apply the following to the port to enable this.

Port-access port-security enable

We currently only have the port-security applied to the ports only. Through my testing I am running 'port-access port-security interface all client-status' and not seeing the switch learning the device MAC with the command being only applied to the port. In order for my test 6300 to learn the MAC of the device I have to apply the port-access command globally. Is this correct? How does applying port security globally effect the switch? Aruba documentation states the command can be applied globally or per port. Do I have to apply the 'sticky-learn' on the port in order for the port to learn the device MAC without running command globally.