STIGQter STIGQter: STIG Summary: HP FlexFabric Switch L2S Security Technical Implementation Guide Version: 1 Release: 2 Benchmark Date: 25 Jan 2019: The HP FlexFabric Switch must only allow a maximum of one registered MAC address per access port.

DISA Rule

SV-80573r1_rule

Vulnerability Number

V-66083

Group Title

SRG-NET-000512-L2S-000006

Rule Version

HFFS-L2-000023

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

Configure the HP FlexFabric Switch to limit the maximum number of registered MAC addresses on each access switch port to one.

[HP-GigabitEthernet1/0/1]port-security max-mac-count 1

Check Contents

Review the HP FlexFabric Switch configuration to verify each access port is configured for a single registered MAC address. Configuring port-security on the HP FlexFabric Switch access port interface will automatically set the maximum number of registered MAC addresses to one.

If any switch port has more than one MAC address assigned to it, this is a finding.

Exemptions: Some deployments are exempt from requiring a single MAC address per access switch port. VoIP or VTC endpoints may provide a PC port thereby enabling a PC to be connected using the same switch port. The MAC address of each device will need to be registered to the appropriate access switch port. Another exempt case scenario is “hot-desking”, where a single connection is shared among several devices and several people are assigned to work at the same desk at different times, each user with their own PC. In this case, a different MAC address needs to be permitted for each PC that is connecting to the LAN drop in the workspace.

Sample output:
[HPGigabitEthernet1/0/1]display this
#
interface GigabitEthernet1/0/1
port-security max-mac-count 1

Vulnerability Number

V-66083

Documentable

False

Rule Version

HFFS-L2-000023

Severity Override Guidance

Review the HP FlexFabric Switch configuration to verify each access port is configured for a single registered MAC address. Configuring port-security on the HP FlexFabric Switch access port interface will automatically set the maximum number of registered MAC addresses to one.

If any switch port has more than one MAC address assigned to it, this is a finding.

Exemptions: Some deployments are exempt from requiring a single MAC address per access switch port. VoIP or VTC endpoints may provide a PC port thereby enabling a PC to be connected using the same switch port. The MAC address of each device will need to be registered to the appropriate access switch port. Another exempt case scenario is “hot-desking”, where a single connection is shared among several devices and several people are assigned to work at the same desk at different times, each user with their own PC. In this case, a different MAC address needs to be permitted for each PC that is connecting to the LAN drop in the workspace.

Sample output:
[HPGigabitEthernet1/0/1]display this
#
interface GigabitEthernet1/0/1
port-security max-mac-count 1

Check Content Reference

M

Target Key

2977

Comments