An error occurred:

Check: JUEX-L2-000090

Juniper EX Series Switches Layer 2 Switch STIG: JUEX-L2-000090 (in versions v1 r2 through v1 r1)

Title

The Juniper EX switch must be configured to enable BPDU Protection on all user-facing or untrusted access switch ports. (Cat II impact)

Discussion

If a rogue switch is introduced into the topology and transmits a Bridge Protocol Data Unit (BPDU) with a lower bridge priority than the existing root bridge, it will become the new root bridge and cause a topology change, rendering the network in a suboptimal state. BPDU Protection allows network designers to enforce the STP domain borders and keep the active topology predictable. The devices behind interfaces that have BPDU Protection enabled are not able to influence the STP topology. At the reception of BPDUs, BPDU Protection disables the port and logs the condition.

Check Content

Review the switch configuration to verify that BPDU Protection is enabled on all user-facing or untrusted access switch interfaces. BPDU Protection discards all BPDUs received on a configured interface and stops forwarding on that interface. In contrast, Root Protection discards only superior root BPDUs but accepts remaining BPDU types. Verify BDPU Protection (bpdu-block-on-edge) and the edge interfaces where no BPDUs are expected. [protocols] mstp { bpdu-block-on-edge; interface <interface name> { edge; } } Note: Configuring BPDU Protection and Root Protection on the same interface is supported, but redundant because BPDU protection includes Root Protection. If the switch has not enabled BPDU Protection, this is a finding.

Fix Text

Configure the switch to have BPDU Protection enabled on all user-facing or untrusted access switch interfaces. set protocols mstp bpdu-block-on-edge set protocols mstp interface <interface name> edge Note: Configuring BPDU Protection and Root Protection on the same interface is supported, but redundant because BPDU protection includes Root Protection.

Additional Identifiers

Rule ID: SV-253956r843901_rule

Vulnerability ID: V-253956

Group Title: SRG-NET-000362-L2S-000022

Expert Comments

Expert comments are only available to logged-in users.

CCIs

CCIs tied to check.
Number Definition
CCI-002355

The information system enforces access control decisions based on organization-defined security attributes that do not include the identity of the user or process acting on behalf of the user.
CCI-002385

The information system protects against or limits the effects of organization-defined types of denial of service attacks by employing organization-defined security safeguards.

Controls

Controls tied to check. These are derived from the CCIs shown above.
Number Title
AC-24 (2)

No User Or Process Identity
SC-5

Denial Of Service Protection