An error occurred:

Check: RCKS-L2S-000110

RUCKUS ICX Layer 2 Switch STIG: RCKS-L2S-000110 (in version v1 r1)

Title

The RUCKUS ICX switch must have Spanning Tree Protocol (STP) Loop Detect enabled on all nondesignated STP switch ports (Cat II impact)

Discussion

The STP loop Detect feature provides additional protection against STP loops. An STP loop is created when an STP blocking port in a redundant topology erroneously transitions to the forwarding state. In its operation, STP relies on continuous reception and transmission of BPDUs based on the port role. The designated port transmits BPDUs, and the nondesignated port receives BPDUs. When one of the ports in a physically redundant topology no longer receives BPDUs, the STP conceives that the topology is loop-free. Eventually, the blocking port from the alternate or backup port becomes a designated port and moves to a forwarding state. This situation creates a loop. The loop detect feature makes additional checks. If BPDUs are not received on a nondesignated port and loop detect is enabled, that port is moved into the STP loop-inconsistent blocking state.

Check Content

Review the switch configuration to verify that STP Loop Detect is enabled. Verify: ICX7150-24P Switch#show run ! vlan 10 by port tagged ethernet 1/1/1 to 1/1/2 ethernet 1/1/5 ethernet 1/1/7 ethernet 1/1/9 ethernet 1/1/11 spanning-tree loop-detection ! If STP Loop Detect is not configured globally or on nondesignated STP ports, this is a finding.

Fix Text

Configure the switch to have STP Loop Detect enabled globally or at a minimum on all nondesignated STP switch ports. 1. Configure loop detect. ICX7150-24P Switch#configure terminal ICX7150-24P Switch(config)#vlan 10 ICX7150-24P Switch(config-vlan-10)# ICX7150-24P Switch(config-vlan-10)#loop-detection 2. Save. Router#write memory Optional by Port Level: Optionally Apply on Interface: device(config)# interface ethernet 1/1/1 device(config-if-e1000-1/1/1)# loop-detection

Additional Identifiers

Rule ID: SV-273679r1110982_rule

Vulnerability ID: V-273679

Group Title: SRG-NET-000362-L2S-000023

Expert Comments

Expert comments are only available to logged-in users.

CCIs

CCIs tied to check.
Number Definition
CCI-002385

Protect against or limit the effects of organization-defined types of denial-of-service events.

Controls

Controls tied to check. These are derived from the CCIs shown above.
Number Title
SC-5

Denial of Service Protection