I have some developers starting that never where in our network, they all have laptop and use and run vmware workstation. We use port security can i use the sticky command and set the value to 8? 1 physical to the laptop and 7 for the virtual machines? switch is a catalyst 4503 with 96 ports.
Switch(config)# interface gi 5/1
Switch(config-if)# switchport mode access
Switch(config-if)# switchport port-security
Switch(config-if)# switchport port-security maximum 10
The whole mac-address-tracking concept is not scalable and a pretty poor security mechanism. Why not look into using AD integrated windows functionality to just use 802.1x auth on all the ports? Its not difficult to deploy providing you have some competant windows admins.
trying to weigh all the options, these virt machines will not be part of ad. I want say i want to use the shut command but my gut tells me restrict so i do not have a ulcer. we use port security on everything else with shut. our dev guys have there own area and have a fiber link back to our core form there 4503. we host the blade chassis for them and storage and they manage all the virt machines them self on workstation. the defining line is the switch and we are responsible for that and the physical machine also. they will have there own vlan also for this. its a different setup as the system admins do not talk with the net admins, working on changing that with pizza and donuts once a week... amazing how IT can get along with food...