Free DISA STIG and SRG Library | Vaulted


The layer 2 switch must only allow a maximum of one registered MAC address per each user-facing or untrusted access port.

Finding ID
Rule ID
Cat II
Group Title
Target Key

Limiting the number of registered MAC addresses on a switch access port can help prevent a Content Addressable Memory (CAM) table overflow attack. This type of attack lets an attacker exploit the hardware and memory limitations of a switch. If there are enough entries stored in a CAM table before the expiration of other entries, no new entries can be accepted into the CAM table. An attacker will be able to flood the switch with mostly invalid MAC addresses until the CAM table’s resources have been depleted. When there are no more resources, the switch has no choice but to flood all ports within the VLAN with all incoming traffic. This happens because the switch cannot find the switch port number for a corresponding MAC address within the CAM table, allowing the switch to become a hub and traffic to be monitored.

Fix Text

Configure the switch to limit the maximum number of registered MAC addresses on each user-facing or untrusted access switch port to one.

Check Content

Review the switch configuration to verify each access port is configured for a single registered MAC address. Configuring port-security on the Cisco switch access port interface will automatically set the maximum number of registered MAC addresses to one. If any user-facing or untrusted switch port has more than one MAC address assigned to it, this is a finding. Exemptions: Some deployments are exempt from requiring a single MAC address per access switch port. VoIP or VTC endpoints may provide a PC port thereby enabling a PC to be connected using the same switch port. The MAC address of each device will need to be registered to the appropriate access switch port. Another exempt case scenario is “hot-desking”, where a single connection is shared among several devices and several people are assigned to work at the same desk at different times, each user with their own PC. In this case, a different MAC address needs to be permitted for each PC that is connecting to the LAN drop in the workspace.