Check: JUEX-L2-000080
Juniper EX Series Switches Layer 2 Switch STIG:
JUEX-L2-000080
(in versions v1 r2 through v1 r1)
Title
The Juniper EX switch must be configured to enable Root Protection on all interfaces connecting to access layer switches and hosts. (Cat III impact)
Discussion
Spanning Tree Protocol (STP) does not provide any means for the network administrator to securely enforce the topology of the switched network. Any switch can be the root bridge in a network. However, a more optimal forwarding topology places the root bridge at a specific predetermined location. With the standard STP, any bridge in the network with a lower bridge ID takes the role of the root bridge. The administrator cannot enforce the position of the root bridge but can set the root bridge priority to 0 in an effort to secure the root bridge position. The Root Protection feature provides a way to enforce the root bridge placement in the network. If the bridge receives superior STP Bridge Protocol Data Units (BPDUs) on a Root Protection-enabled interface, Root Protection ignores the superior BPDU and places the interface into block and a root-inconsistent state. To enforce the position of the root bridge it is imperative that Root Protection is enabled on all interfaces where the root bridge should never appear.
Check Content
Review the switch topology as well as the switch configuration to verify that Root Protection is enabled on all interfaces connecting to access layer switches and hosts. [edit protocols] mstp { interface <interface name> { no-root-port; } } Note: Root Protection and Loop Protection are mutually exclusive and cannot be simultaneously configured on the same interface. If the switch has not enabled Root Protection on all interfaces connecting to access layer switches and hosts, this is a finding.
Fix Text
Configure the switch to have Root Protection enabled on all switch ports connecting to access layer switches and hosts using trunked interfaces. set protocols mstp interface <interface name> no-root-port Note: Root Protection and Loop Protection are mutually exclusive and cannot be simultaneously configured on the same interface.
Additional Identifiers
Rule ID: SV-253955r843898_rule
Vulnerability ID: V-253955
Group Title: SRG-NET-000362-L2S-000021
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-002355 |
The information system enforces access control decisions based on organization-defined security attributes that do not include the identity of the user or process acting on behalf of the user. |
CCI-002385 |
The information system protects against or limits the effects of organization-defined types of denial of service attacks by employing organization-defined security safeguards. |