Check: CISC-L2-000120
Cisco IOS XE Switch L2S STIG:
CISC-L2-000120
(in versions v2 r5 through v1 r0.1)
Title
The Cisco switch must have Unknown Unicast Flood Blocking (UUFB) enabled. (Cat II impact)
Discussion
Access layer switches use the Content Addressable Memory (CAM) table to direct traffic to specific ports based on the VLAN number and the destination MAC address of the frame. When a router has an Address Resolution Protocol (ARP) entry for a destination host and forwards it to the access layer switch and there is no entry corresponding to the frame's destination MAC address in the incoming VLAN, the frame will be sent to all forwarding ports within the respective VLAN, which causes flooding. Large amounts of flooded traffic can saturate low-bandwidth links, causing network performance issues or complete connectivity outage to the connected devices. Unknown unicast flooding has been a nagging problem in networks that have asymmetric routing and default timers. To mitigate the risk of a connectivity outage, the Unknown Unicast Flood Blocking (UUFB) feature must be implemented on all access layer switches. The UUFB feature will block unknown unicast traffic flooding and only permit egress traffic with MAC addresses that are known to exit on the port.
Check Content
Review the switch configuration to verify that UUFB is enabled on all access switch ports as shown in the configuration example below: interface GigabitEthernet0/0 switchport block unicast ! interface GigabitEthernet0/1 switchport block unicast … … … interface GigabitEthernet0/9 switchport block unicast If any access switch ports do not have UUFB enabled, this is a finding.
Fix Text
Configure the switch to have Unknown Unicast Flood Blocking (UUFB) enabled as shown in the configuration example below: SW1(config)#int range g0/0 - 9 SW1(config-if-range)#switchport block unicast
Additional Identifiers
Rule ID: SV-220658r856280_rule
Vulnerability ID: V-220658
Group Title: SRG-NET-000362-L2S-000024
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-002385 |
The information system protects against or limits the effects of organization-defined types of denial of service attacks by employing organization-defined security safeguards. |
Controls
Number | Title |
---|---|
SC-5 |
Denial Of Service Protection |