The appropriate number of pre-authorized MAC addresses must be statically assigned for the pre-authorized voice video endpoints, to include daisy-chained devices, or the maximum number of MAC addresses dynamically learned on each access switch port must be limited to the minimum number of supported devices authorized to connect. - Voice Video Services Policy STIG

Use of port security is required on network access switch ports. One method is MAC-based port security limiting the number of devices that can connect from an endpoint to a network access switch port. Allowing too many MAC addresses on a switch port could allow a hub or switch to be inserted into the voice VLAN port or PC/data port on a voice video endpoint, which allows additional unauthorized devices or workstations to be connected. Voice video endpoints in the workspace where installed are provisioned with enough LAN drops to support the number of devices to be used in the workspace. This also requires that each LAN drop that is to be used must be connected to a network access switch port. The best practice is to limit the devices permitted to connect to any given LAN drop/switch port combination to one. The two methods to do this are static mapping and MAC-based port security. Static mapping the MAC address of a pre-authorized device into the configuration of the network access switch port requires manual configuration. The MAC-based port security, also known as sticky-MAC, in which the MAC address of the first device to connect to the switch port is learned and added to the configuration. This becomes the authorized device. Sticky-MAC requires that care be exercised regarding what device is connected to a port for the first time. In both cases an alarm will be generated if an unauthorized device is connected. Many voice video endpoints provide an extra Ethernet port called a PC port that permits the endpoint and another device to share the same LAN drop. This has several advantages. First, a voice video endpoint can be added to a LAN without having to run additional cable or activate additional LAN drops. It is possible to share a single LAN drop with a hardware voice video endpoint, a desktop video conference endpoint, and computer. Another initiative where a single LAN drop is shared is hot desking, where several people are assigned to work at the same desk at different times, each with their own laptop computer. In this case, a different MAC address needs to be permitted for each laptop that is supposed to connect to the LAN drop in the workspace. Additionally, this workspace could contain a single phone used by all assignees and the PC port on it might be the connection for their laptop.

Check content

Review site documentation to confirm the appropriate number of pre-authorized MAC addresses must be statically assigned for the pre-authorized voice video endpoints, to include daisy chained devices. If static assignment is not implemented, the maximum number of MAC addresses dynamically learned on each access switch port must be limited to the minimum number of supported devices authorized to connect. If static assignment is not implemented and dynamic learning is not limited, this is a finding. The dynamic MAC-based port security used for port security where MAC addresses are learned configuration settings must be as follows: - A LAN switch port supporting a single authorized voice video endpoint is configured for a learned maximum of one. The PC port must be disabled, if present. - A LAN switch port supporting an authorized voice video endpoint providing a PC port connecting a computer is configured for a learned maximum of three dynamically learned addresses. While two authorized devices are permitted to connect, the endpoint address may be learned twice in association with the data VLAN and the voice video VLAN. - When a hardware voice video endpoint, video conference endpoint, and computer are daisy chained on one LAN drop and switch port, the switch port is configured for a learned maximum of five dynamically learned addresses. This is because both the hardware voice video endpoint and video conference endpoint will typically be assigned to the VVoIP VLAN due to switch port mode configuration limitations, and both endpoints may be learned twice in association with the data VLAN and the voice video VLAN. If the switch port supports a third VLAN in access mode, additional MAC addresses may be learned by the multiple VLANs, thereby requiring the maximum to be set higher but only if absolutely necessary. When dynamic MAC assignment is implemented, if the maximum number of MAC addresses dynamically learned on each access switch port is not limited to the minimum number of supported devices authorized to connect, this is a finding. The static mapping of MAC addresses used for port security configuration settings must be as follows: - A LAN switch port supporting a single authorized voice video endpoint is configured with one MAC address. The PC port must be disabled, if present. - A LAN switch port supporting an authorized voice video endpoint providing a PC port connecting a computer is configured with two MAC addresses. - When a hardware voice video endpoint, video conference endpoint, and computer are daisy chained on one LAN drop and switch port, the switch port is configured with the three corresponding MAC addresses. When static MAC assignment is implemented, if the appropriate numbers of pre-authorized MAC addresses are not statically assigned for the pre-authorized voice video endpoints, to include daisy chained devices, this is a finding. If static assignment is not implemented and dynamic learning is not limited as directed, this is a finding.

Fix text

Implement and document that the appropriate number of pre-authorized MAC addresses are statically assigned for the pre-authorized voice video endpoints, to include daisy chained devices, or the maximum number of MAC addresses dynamically learned on each access switch port are limited to the minimum number of supported devices authorized to connect. When dynamic MAC-based port security is used for port security where MAC addresses are learned, configuration settings must be as follows: - A LAN switch port supporting a single authorized voice video endpoint is configured for a learned maximum of one. The PC port must be disabled, if present. - A LAN switch port supporting an authorized voice video endpoint providing a PC port connecting a computer is configured for a learned maximum of three dynamically learned addresses. - When a hardware voice video endpoint, video conference endpoint, and a computer are daisy chained on one LAN drop and switch port, the switch port is configured for a learned maximum of five dynamically learned addresses. When static mapping of MAC addresses is used for port security, configuration settings must be as follows: - A LAN switch port supporting a single authorized voice video endpoint is configured with one MAC address. The PC port must be disabled, if present. - A LAN switch port supporting an authorized voice video endpoint providing a PC port connecting a computer is configured with two MAC addresses. - When a hardware voice video endpoint, video conference endpoint, and computer are daisy chained on one LAN drop and switch port, the switch port is configured with the three corresponding MAC addresses.

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.

Vulnerability discussion

Check content

Fix text

Pro Tips