Information
The port security feature allows network managers to specify specific devices (by MAC address) that have access to ports on a switch, or to limit the number of devices that can connect to a port at the same time. Authorized MAC addresses can be specified manually by a switch administrator, learned dynamically as devices are connected, or authorized by a specified RADIUS server.
NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.
Solution
In this example, port security is configured on port 2 in configured address mode with two statically assigned addresses, an address limit of 2, eavesdrop prevention enabled, and with intrusion detection configured to both send an SNMP trap and disable the port:
switch(config)# port-security 2 learn-mode configured address-limit 2 mac-address 308d99-000000 308d99-000001 eavesdrop-prevention action send-disable
This configuration will allow only the two devices specified by their MAC addresses to connect to port 2 (for example, an IP phone with a passthrough Ethernet port connected to a PC); any other devices that attempt to connect to the port will be flagged as an intrusion, an SNMP trap will be sent to configured SNMP targets, and the port will automatically be disabled.