Check: CISC-L2-000190
Cisco IOS XE Switch L2S STIG:
CISC-L2-000190
(in versions v2 r5 through v1 r1)
Title
The Cisco switch must enable Unidirectional Link Detection (UDLD) to protect against one-way connections. (Cat II impact)
Discussion
In topologies where fiber optic interconnections are used, physical misconnections can occur that allow a link to appear to be up when there is a mismatched set of transmit/receive pairs. When such a physical misconfiguration occurs, protocols such as STP can cause network instability. UDLD is a layer 2 protocol that can detect these physical misconfigurations by verifying that traffic is flowing bidirectional between neighbors. Ports with UDLD enabled periodically transmit packets to neighbor devices. If the packets are not echoed back within a specific time frame, the link is flagged as unidirectional and the interface is shut down.
Check Content
If any of the switch ports have fiber optic interconnections with neighbors, review the switch configuration to verify that UDLD is enabled globally or on a per-interface basis as shown in the examples below: hostname SW2 … … … udld enable or interface GigabitEthernet0/1 udld port Note: An alternative implementation when UDLD is not supported by connected device is to deploy a single member Link Aggregation Group (LAG) via IEEE 802.3ad Link Aggregation Control Protocol (LACP). If the switch has fiber optic interconnections with neighbors and UDLD is not enabled, this is a finding.
Fix Text
Configure the switch to enable Unidirectional Link Detection (UDLD) to protect against one-way connections. SW2(config)#udld enable or SW2(config)#int g0/1 SW2(config-if)#udld port
Additional Identifiers
Rule ID: SV-220665r539671_rule
Vulnerability ID: V-220665
Group Title: SRG-NET-000512-L2S-000004
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000366 |
The organization implements the security configuration settings. |
Controls
Number | Title |
---|---|
CM-6 |
Configuration Settings |