The Cisco switch must have STP Loop Guard enabled. (Cat II impact)
The Spanning Tree Protocol (STP) loop guard feature provides additional protection against STP loops. An STP loop is created when an STP blocking port in a redundant topology erroneously transitions to the forwarding state. In its operation, STP relies on continuous reception and transmission of BPDUs based on the port role. The designated port transmits BPDUs, and the non-designated port receives BPDUs. When one of the ports in a physically redundant topology no longer receives BPDUs, the STP conceives that the topology is loop free. Eventually, the blocking port from the alternate or backup port becomes a designated port and moves to a forwarding state. This situation creates a loop. The loop guard feature makes additional checks. If BPDUs are not received on a non-designated port and loop guard is enabled, that port is moved into the STP loop-inconsistent blocking state.
Review the switch configuration to verify that STP Loop Guard is enabled as shown in the configuration example below: hostname SW2 … … … spanning-tree mode pvst spanning-tree loopguard default If STP Loop Guard is not enabled, this is a finding.
Configure the switch to have STP Loop Guard enabled via the spanning-tree loopguard default global command.
The information system protects against or limits the effects of organization-defined types of denial of service attacks by employing organization-defined security safeguards.
Denial Of Service Protection