The layer 2 switch must have STP Loop Guard enabled on all non-designated STP switch ports.

From Layer 2 Switch Security Requirements Guide

Part of SRG-NET-000362

Associated with: CCI-002385

SV-76667r1_rule The layer 2 switch must have STP Loop Guard enabled on all non-designated STP switch ports.

Vulnerability discussion

The Spanning Tree Protocol (STP) loop guard feature provides additional protection against STP loops. An STP loop is created when an STP blocking port in a redundant topology erroneously transitions to the forwarding state. In its operation, STP relies on continuous reception and transmission of BPDUs based on the port role. The designated port transmits BPDUs, and the non-designated port receives BPDUs. When one of the ports in a physically redundant topology no longer receives BPDUs, the STP conceives that the topology is loop free. Eventually, the blocking port from the alternate or backup port becomes a designated port and moves to a forwarding state. This situation creates a loop. The loop guard feature makes additional checks. If BPDUs are not received on a non-designated port and loop guard is enabled, that port is moved into the STP loop-inconsistent blocking state.

Check content

Review the switch configuration to verify that STP Loop Guard is enabled. If STP Loop Guard is not configured globally or on non-designated STP ports, this is a finding.

Fix text

Configure the switch to have STP Loop Guard enabled globally or at a minimum on all non-designated STP switch ports.

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.

Powered by sagemincer