From HP FlexFabric Switch L2S Security Technical Implementation Guide
Part of SRG-NET-000512-L2S-000006
Associated with: CCI-000366
Limiting the number of registered MAC addresses on a switch access port can help prevent a Content Addressable Memory (CAM) table overflow attack. This type of attack lets an attacker exploit the hardware and memory limitations of a switch. If there are enough entries stored in a CAM table before the expiration of other entries, no new entries can be accepted into the CAM table. An attacker will be able to flood the switch with mostly invalid MAC addresses until the CAM table’s resources have been depleted. When there are no more resources, the switch has no choice but to flood all ports within the VLAN with all incoming traffic. This happens because the switch cannot find the switch port number for a corresponding MAC address within the CAM table, allowing the switch to become a hub and traffic to be monitored.
Review the HP FlexFabric Switch configuration to verify each access port is configured for a single registered MAC address. Configuring port-security on the HP FlexFabric Switch access port interface will automatically set the maximum number of registered MAC addresses to one. If any switch port has more than one MAC address assigned to it, this is a finding. Exemptions: Some deployments are exempt from requiring a single MAC address per access switch port. VoIP or VTC endpoints may provide a PC port thereby enabling a PC to be connected using the same switch port. The MAC address of each device will need to be registered to the appropriate access switch port. Another exempt case scenario is “hot-desking”, where a single connection is shared among several devices and several people are assigned to work at the same desk at different times, each user with their own PC. In this case, a different MAC address needs to be permitted for each PC that is connecting to the LAN drop in the workspace. Sample output: [HPGigabitEthernet1/0/1]display this # interface GigabitEthernet1/0/1 port-security max-mac-count 1
Configure the HP FlexFabric Switch to limit the maximum number of registered MAC addresses on each access switch port to one. [HP-GigabitEthernet1/0/1]port-security max-mac-count 1
Lavender hyperlinks in small type off to the right (of CSS
class id, if you view the page source) point to
globally unique URIs for each document and item. Copy the
link location and paste anywhere you need to talk
unambiguously about these things.
You can obtain data about documents and items in other
formats. Simply provide an HTTP header Accept:
text/turtle or
Accept: application/rdf+xml.
Powered by sagemincer