UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The layer 2 switch must only allow a maximum of one registered MAC address per each user-facing or untrusted access port.


Overview

Finding ID Version Rule ID IA Controls Severity
V-62199 SRG-NET-000512-L2S-000006 SV-76689r1_rule Medium
Description
Limiting the number of registered MAC addresses on a switch access port can help prevent a Content Addressable Memory (CAM) table overflow attack. This type of attack lets an attacker exploit the hardware and memory limitations of a switch. If there are enough entries stored in a CAM table before the expiration of other entries, no new entries can be accepted into the CAM table. An attacker will be able to flood the switch with mostly invalid MAC addresses until the CAM table’s resources have been depleted. When there are no more resources, the switch has no choice but to flood all ports within the VLAN with all incoming traffic. This happens because the switch cannot find the switch port number for a corresponding MAC address within the CAM table, allowing the switch to become a hub and traffic to be monitored.
STIG Date
Layer 2 Switch Security Requirements Guide 2019-07-03

Details

Check Text ( C-63003r2_chk )
Review the switch configuration to verify each access port is configured for a single registered MAC address. Configuring port-security on the Cisco switch access port interface will automatically set the maximum number of registered MAC addresses to one.

If any user-facing or untrusted switch port has more than one MAC address assigned to it, this is a finding.

Exemptions: Some deployments are exempt from requiring a single MAC address per access switch port. VoIP or VTC endpoints may provide a PC port thereby enabling a PC to be connected using the same switch port. The MAC address of each device will need to be registered to the appropriate access switch port. Another exempt case scenario is “hot-desking”, where a single connection is shared among several devices and several people are assigned to work at the same desk at different times, each user with their own PC. In this case, a different MAC address needs to be permitted for each PC that is connecting to the LAN drop in the workspace.
Fix Text (F-68119r1_fix)
Configure the switch to limit the maximum number of registered MAC addresses on each user-facing or untrusted access switch port to one.