UCF STIG Viewer Logo

The switch must only allow a maximum of one registered MAC address per access port.


Finding ID Version Rule ID IA Controls Severity
V-18566 NET-NAC-031 SV-49133r1_rule DCSP-1 Medium
Limiting the number of registered MAC addresses on a switch access port can help prevent a CAM table overflow attack. This type of attack lets an attacker exploit the hardware and memory limitations of a switch. If there are enough entries stored in a CAM table before the expiration of other entries, no new entries can be accepted into the CAM table. An attacker will able to flood the switch with mostly invalid MAC addresses until the CAM table’s resources have been depleted. When there are no more resources, the switch has no choice but to flood all ports within the VLAN with all incoming traffic. This happens because the switch cannot find the switch port number for a corresponding MAC address within the CAM table, allowing the switch to become a hub and traffic to be monitored.
Layer 2 Switch Security Technical Implementation Guide - Cisco 2019-01-09


Check Text ( C-45619r8_chk )
Review the switch configuration to verify each access port is configured for a single registered MAC address.

Configuring port-security on the Cisco switch access port interface will automatically set the maximum number of registered MAC addresses to one. The value will not show up in the configuration of the switch itself. To validate the access port has a maximum value of one for allowable MAC addresses, you must run the following command:

Switch# show port-security interface

Show Command Example:
Switch# port int fa0/1
Port Security :Enabled
Port Status :Secure-down
Violation Mode :Shutdown
Aging Time :0 mins
Aging Type :Absolute
SecureStatic Address Aging :Disabled
Maximum MAC Addresses :1

Some technologies are exempt from requiring a single MAC address per access port; however, restrictions still apply. VoIP or VTC endpoints may provide a PC port so a PC can be connected. Each of the devices will need to be statically assigned to each access port.

Another green initiative where a single LAN drop is shared among several devices is called "hot-desking", which is related to conservation of office space and teleworking. Hot-desking is where several people are assigned to work at the same desk at different times, each user with their own PC. In this case, a different MAC address needs to be permitted for each PC that is connecting to the LAN drop in the workspace. Additionally, this workspace could contain a single phone (and possibly desktop VTC endpoint) used by all assignees and the PC port on it might be the connection for their laptop. In this case, it is best not to use sticky port security, but to use a static mapping of authorized devices or implement 802.1x. If this is not a teleworking remote location, this exemption does not apply.
Fix Text (F-19193r3_fix)
Configure the switch to limit the maximum number of registered MAC addresses on each access switch port to one.