The layer 2 switch must have Root Guard enabled on all ports where the root bridge should not appear.

From Layer 2 Switch Security Requirements Guide

Part of SRG-NET-000362

Associated with: CCI-002385

SV-76663r1_rule The layer 2 switch must have Root Guard enabled on all ports where the root bridge should not appear.

Vulnerability discussion

Spanning Tree Protocol (STP) does not provide any means for the network administrator to securely enforce the topology of the switched network. Any switch can be the root bridge in a network. However, a more optimal forwarding topology places the root bridge at a specific predetermined location. With the standard STP, any bridge in the network with a lower bridge ID takes the role of the root bridge. The administrator cannot enforce the position of the root bridge but can set the root bridge priority to 0 in an effort to secure the root bridge position.The root guard feature provides a way to enforce the root bridge placement in the network. If the bridge receives superior STP Bridge Protocol Data Units (BPDUs) on a root guard-enabled port, root guard moves this port to a root-inconsistent STP state and no traffic can be forwarded across this port while it is in this state. To enforce the position of the root bridge it is imperative that root guard is enabled on all ports where the root bridge should never appear.

Check content

Review the switch topology as well as the configuration to verify that root guard is enabled on switch ports facing users or switches that are downstream from the root bridge. If the switch has not enabled Root Guard on all ports where the root bridge should not appear, this is a finding.

Fix text

Configure the switch to have Root Guard enabled on all ports where the root bridge should not appear.

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.

Powered by sagemincer