An error occurred:

Check: JUEX-L2-000110

Juniper EX Series Switches Layer 2 Switch STIG: JUEX-L2-000110 (in versions v1 r2 through v1 r1)

Title

The Juniper EX switch must be configured not to forward unknown unicast traffic to access interfaces. (Cat II impact)

Discussion

Access layer switches use the Content Addressable Memory (CAM) table to direct traffic to specific interfaces based on the VLAN number and the destination MAC address of the frame. When a router has an Address Resolution Protocol (ARP) entry for a destination host and forwards it to the access layer switch and there is no entry corresponding to the frame's destination MAC address in the incoming VLAN, the frame will be sent to all forwarding interfaces within the respective VLAN, which causes flooding. Large amounts of flooded traffic can saturate low-bandwidth links, causing network performance issues or complete connectivity outage to the connected devices. Unknown unicast flooding has been a nagging problem in networks that have asymmetric routing and default timers. To mitigate the risk of a connectivity outage, the unknown unicast traffic must not be flooded to all access interfaces.

Check Content

Review the switch configuration to verify that unknown unicast frames are forwarded to a single interface. [edit switch-options] unknown-unicast-forwarding { vlan <VLAN name> { interface <interface name>.<logical unit>; } } Note: Validate the MAC and/or ARP timers are consistent across the network. Blindly forwarding unknown unicast traffic can cause the DoS condition this check intends to prevent. Validate the network architecture and that the receiving interface is appropriate. If any access VLANs are not configured to forward unknown unicast to a single interface, this is a finding.

Fix Text

Configure the switch to have VLANs forward unknown unicast frames to a single interface. set switch-options unknown-unicast-forwarding vlan <VLAN name> interface <interface name>.<logical unit>

Additional Identifiers

Rule ID: SV-253958r843907_rule

Vulnerability ID: V-253958

Group Title: SRG-NET-000362-L2S-000024

Expert Comments

Expert comments are only available to logged-in users.

CCIs

CCIs tied to check.
Number Definition
CCI-002355

The information system enforces access control decisions based on organization-defined security attributes that do not include the identity of the user or process acting on behalf of the user.
CCI-002385

The information system protects against or limits the effects of organization-defined types of denial of service attacks by employing organization-defined security safeguards.

Controls

Controls tied to check. These are derived from the CCIs shown above.
Number Title
AC-24 (2)

No User Or Process Identity
SC-5

Denial Of Service Protection