Check: ARST-L2-000050
Arista MLS EOS 4.2x L2S STIG:
ARST-L2-000050
(in version v1 r1)
Title
The Arista MLS switch must have Root Guard enabled on all switch ports connecting to access layer switches and hosts. (Cat III impact)
Discussion
Spanning Tree Protocol (STP) does not provide any means for the network administrator to securely enforce the topology of the switched network. Any switch can be the root bridge in a network. However, a more optimal forwarding topology places the root bridge at a specific predetermined location. With the standard STP, any bridge in the network with a lower bridge ID takes the role of the root bridge. The administrator cannot enforce the position of the root bridge but can set the root bridge priority to 0 in an effort to secure the root bridge position.
Check Content
Review the Arista MLS switch topology as well as the configuration to verify that root guard is enabled on switch ports facing switches that are downstream from the root bridge. Example: switch#sh run | sec guard root interface Ethernet37 spanning-tree guard root If the Arista MLS switch has not enabled guard root on all ports connecting to the access layer where the root bridge must not appear, this is a finding.
Fix Text
The Arista MLS switch must be configured for spanning-tree guard root mode on all ports connecting to the access layer interface. Configure Arista MLS switch Ethernet interface with the following commands: switch#config switch(config)interface Ethernet[X] switch(config-if-Et[X])#spanning-tree guard root switch(config-if-Et[X])#exit !
Additional Identifiers
Rule ID: SV-255970r882252_rule
Vulnerability ID: V-255970
Group Title: SRG-NET-000362-L2S-000021
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-002385 |
The information system protects against or limits the effects of organization-defined types of denial of service attacks by employing organization-defined security safeguards. |
Controls
Number | Title |
---|---|
SC-5 |
Denial Of Service Protection |