STIGQter STIGQter: STIG Summary: HP FlexFabric Switch L2S Security Technical Implementation Guide Version: 1 Release: 3 Benchmark Date: 24 Jul 2020:

The HP FlexFabric Switch must have BPDU Guard enabled on all user-facing access ports.

DISA Rule

SV-80555r1_rule

Vulnerability Number

V-66065

Group Title

SRG-NET-000362-L2S-000022

Rule Version

HFFS-L2-000011

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

Configure the HP FlexFabric Switch to have BPDU Guard enabled on all user-facing switch ports.

[HP]stp bpdu-protection
[HP-GigabitEthernet1/0/1]stp edged-port

Check Contents

Review the HP FlexFabric Switch configuration to verify that BPDU Protection is enabled on all user-facing switch ports.

If the HP FlexFabric Switch has not enabled BPDU protection, this is a finding.

[HP] display stp
-------[CIST Global Info][Mode MSTP]-------
Bridge ID : 32768.7848-596a-6580
Bridge times : Hello 2s MaxAge 20s FwdDelay 15s MaxHops 20
Root ID/ERPC : 32768.7848-596a-6580, 0
RegRoot ID/IRPC : 32768.7848-596a-6580, 0
RootPort ID : 0.0
BPDU-Protection : Enabled
Bridge Config-
Digest-Snooping : Disabled
TC or TCN received : 0
Time since last TC : 3 days

interface GigabitEthernet1/0/1
stp edged-port

Vulnerability Number

V-66065

Documentable

False

Rule Version

HFFS-L2-000011

Severity Override Guidance

Review the HP FlexFabric Switch configuration to verify that BPDU Protection is enabled on all user-facing switch ports.

If the HP FlexFabric Switch has not enabled BPDU protection, this is a finding.

[HP] display stp
-------[CIST Global Info][Mode MSTP]-------
Bridge ID : 32768.7848-596a-6580
Bridge times : Hello 2s MaxAge 20s FwdDelay 15s MaxHops 20
Root ID/ERPC : 32768.7848-596a-6580, 0
RegRoot ID/IRPC : 32768.7848-596a-6580, 0
RootPort ID : 0.0
BPDU-Protection : Enabled
Bridge Config-
Digest-Snooping : Disabled
TC or TCN received : 0
Time since last TC : 3 days

interface GigabitEthernet1/0/1
stp edged-port

Check Content Reference

M

Target Key

2977

Comments