STIGQter STIGQter: STIG Summary: HP FlexFabric Switch L2S Security Technical Implementation Guide Version: 1 Release: 3 Benchmark Date: 24 Jul 2020:

The HP FlexFabric Switch must enable Device Link Detection Protocol (DLDP) to protect against one-way connections.

DISA Rule

SV-80569r1_rule

Vulnerability Number

V-66079

Group Title

SRG-NET-000512-L2S-000004

Rule Version

HFFS-L2-000021

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

Configure the HP FlexFabric Switch to enable Device Link Detection Protocol (DLDP) to protect against one-way connections.

[HP]dldp global enable

[HP-Ten-GigabitEthernet1/0/47]dldp enable

Check Contents

If any of the switch ports have fiber optic interconnections with neighbors, review the HP FlexFabric Switch configuration to verify that DLDP is enabled globally or on a per interface basis.

If the HP FlexFabric Switch has fiber optic interconnections with neighbors and DLDP is not enabled, this is a finding.

<HP> display dldp
DLDP global status : disable
DLDP interval : 5s
DLDP work-mode : enhance
DLDP authentication-mode : none
DLDP unidirectional-shutdown : auto
DLDP delaydown-timer : 1s
The number of enabled ports is 2.
[HP-Interface Ethernet1/1]
DLDP port state : advertisement
DLDP link state : up
The neighbor number of the port is 0.
[HP-Interface Ethernet1/2]
DLDP port state : advertisement
DLDP link state : up
The neighbor number of the port is 0.

Vulnerability Number

V-66079

Documentable

False

Rule Version

HFFS-L2-000021

Severity Override Guidance

If any of the switch ports have fiber optic interconnections with neighbors, review the HP FlexFabric Switch configuration to verify that DLDP is enabled globally or on a per interface basis.

If the HP FlexFabric Switch has fiber optic interconnections with neighbors and DLDP is not enabled, this is a finding.

<HP> display dldp
DLDP global status : disable
DLDP interval : 5s
DLDP work-mode : enhance
DLDP authentication-mode : none
DLDP unidirectional-shutdown : auto
DLDP delaydown-timer : 1s
The number of enabled ports is 2.
[HP-Interface Ethernet1/1]
DLDP port state : advertisement
DLDP link state : up
The neighbor number of the port is 0.
[HP-Interface Ethernet1/2]
DLDP port state : advertisement
DLDP link state : up
The neighbor number of the port is 0.

Check Content Reference

M

Target Key

2977

Comments