STIGQter: STIG Summary: HP FlexFabric Switch L2S Security Technical Implementation Guide Version: 1 Release: 3 Benchmark Date: 24 Jul 2020:

The HP FlexFabric Switch must have Root Guard enabled on all ports where the root bridge should not appear.

DISA Rule

SV-80553r1_rule

Vulnerability Number

V-66063

Group Title

SRG-NET-000362-L2S-000021

Rule Version

HFFS-L2-000010

Severity

CAT II

CCI(s)

• CCI-002385 - The information system protects against or limits the effects of organization-defined types of denial of service attacks by employing organization-defined security safeguards.

Weight

10

Fix Recommendation

Configure the HP FlexFabric Switch to have Root Guard enabled on all ports where the root bridge should not appear.

[HP-GigabitEthernet1/0/1]stp root-protection

Check Contents

Review the HP FlexFabric Switch topology as well as the configuration to verify that root guard is enabled on switch ports facing users or switches that are downstream from the root bridge.

If the switch has not enabled Root Guard on all ports where the root bridge should not appear, this is a finding.

[HP]display stp
-------[CIST Global Info][Mode MSTP]-------
Bridge ID : 0.bcea-fa14-f0a4
Bridge times : Hello 2s MaxAge 20s FwdDelay 15s MaxHops 20
Root ID/ERPC : 0.bcea-fa14-f0a4, 0
RegRoot ID/IRPC : 0.bcea-fa14-f0a4, 0
RootPort ID : 0.0
BPDU-Protection : Disabled
Bridge Config-
Digest-Snooping : Disabled
TC or TCN received : 19824
Time since last TC : 0 days 1h:3m:4s

----[Port1(GigabitEthernet1/0/1)][DISCARDING]----
Port protocol : Enabled
Port role : Designated Port (Boundary)
Port ID : 128.1
Port cost(Legacy) : Config=auto, Active=20
Desg.bridge/port : 0.bcea-fa14-f0a4, 128.1
Port edged : Config=disabled, Active=disabled
Point-to-Point : Config=auto, Active=true
Transmit limit : 10 packets/hello-time
TC-Restriction : Disabled
Role-Restriction : Disabled
Protection type : ROOT

Vulnerability Number

V-66063

Documentable

False

Rule Version

HFFS-L2-000010

Severity Override Guidance

Review the HP FlexFabric Switch topology as well as the configuration to verify that root guard is enabled on switch ports facing users or switches that are downstream from the root bridge.

If the switch has not enabled Root Guard on all ports where the root bridge should not appear, this is a finding.

[HP]display stp
-------[CIST Global Info][Mode MSTP]-------
Bridge ID : 0.bcea-fa14-f0a4
Bridge times : Hello 2s MaxAge 20s FwdDelay 15s MaxHops 20
Root ID/ERPC : 0.bcea-fa14-f0a4, 0
RegRoot ID/IRPC : 0.bcea-fa14-f0a4, 0
RootPort ID : 0.0
BPDU-Protection : Disabled
Bridge Config-
Digest-Snooping : Disabled
TC or TCN received : 19824
Time since last TC : 0 days 1h:3m:4s

----[Port1(GigabitEthernet1/0/1)][DISCARDING]----
Port protocol : Enabled
Port role : Designated Port (Boundary)
Port ID : 128.1
Port cost(Legacy) : Config=auto, Active=20
Desg.bridge/port : 0.bcea-fa14-f0a4, 128.1
Port edged : Config=disabled, Active=disabled
Point-to-Point : Config=auto, Active=true
Transmit limit : 10 packets/hello-time
TC-Restriction : Disabled
Role-Restriction : Disabled
Protection type : ROOT

Check Content Reference

M

Target Key

2977

Comments