STIGQter: STIG Summary: HP FlexFabric Switch L2S Security Technical Implementation Guide Version: 1 Release: 3 Benchmark Date: 24 Jul 2020:

The HP FlexFabric Switch must have Dynamic ARP Inspection (DAI) enabled on all user VLANs.

DISA Rule

SV-80565r1_rule

Vulnerability Number

V-66075

Group Title

SRG-NET-000362-L2S-000027

Rule Version

HFFS-L2-000016

Severity

CAT II

CCI(s)

• CCI-002385 - The information system protects against or limits the effects of organization-defined types of denial of service attacks by employing organization-defined security safeguards.

Weight

10

Fix Recommendation

Configure the HP FlexFabric Switch to have Dynamic ARP Inspection (DAI) enabled on all user VLANs.

[HP-vlan2]arp detection enable

[HP-Ten-GigabitEthernet1/0/11]arp detection trust

Check Contents

Review the HP FlexFabric Switch configuration to verify that Dynamic ARP Inspection (DAI) feature is enabled on all user VLANs.

If DAI is not enabled on all user VLANs, this is a finding.

[HP]display arp detection
ARP detection is enabled in the following VLANs:
2

[HP]display arp detection statistics interface Ten-GigabitEthernet 1/0/11
State: U-Untrusted T-Trusted
ARP packets dropped by ARP inspect checking:
Interface(State) IP Src-MAC Dst-MAC Inspect
XGE1/0/11(T) 0 0 0 0
[HP]

Vulnerability Number

V-66075

Documentable

False

Rule Version

HFFS-L2-000016

Severity Override Guidance

Review the HP FlexFabric Switch configuration to verify that Dynamic ARP Inspection (DAI) feature is enabled on all user VLANs.

If DAI is not enabled on all user VLANs, this is a finding.

[HP]display arp detection
ARP detection is enabled in the following VLANs:
2

[HP]display arp detection statistics interface Ten-GigabitEthernet 1/0/11
State: U-Untrusted T-Trusted
ARP packets dropped by ARP inspect checking:
Interface(State) IP Src-MAC Dst-MAC Inspect
XGE1/0/11(T) 0 0 0 0
[HP]

Check Content Reference

M

Target Key

2977

Comments