Check: SRG-NET-000362-L2S-000027
Layer 2 Switch SRG:
SRG-NET-000362-L2S-000027
(in versions v2 r1 through v1 r1)
Title
The layer 2 switch must have Dynamic Address Resolution Protocol (ARP) Inspection (DAI) enabled on all user VLANs. (Cat II impact)
Discussion
DAI intercepts Address Resolution Protocol (ARP) requests and verifies that each of these packets has a valid IP-to-MAC address binding before updating the local ARP cache and before forwarding the packet to the appropriate destination. Invalid ARP packets are dropped and logged. DAI determines the validity of an ARP packet based on valid IP-to-MAC address bindings stored in the DHCP snooping binding database. If the ARP packet is received on a trusted interface, the switch forwards the packet without any checks. On untrusted interfaces, the switch forwards the packet only if it is valid.
Check Content
Review the switch configuration to verify that Dynamic Address Resolution Protocol (ARP) Inspection (DAI) feature is enabled on all user VLANs. If DAI is not enabled on all user VLANs, this is a finding.
Fix Text
Configure the switch to have Dynamic Address Resolution Protocol (ARP) Inspection (DAI) enabled on all user VLANs.
Additional Identifiers
Rule ID: SV-206660r383575_rule
Vulnerability ID: V-206660
Group Title: SRG-NET-000362
Expert Comments
CCIs
| Number | Definition |
|---|---|
| CCI-002385 |
The information system protects against or limits the effects of organization-defined types of denial of service attacks by employing organization-defined security safeguards. |
Controls
| Number | Title |
|---|---|
| SC-5 |
Denial Of Service Protection |