Title

The RUCKUS ICX switch must have Bridge Protocol Data Unit (BPDU) Guard enabled on all user-facing or untrusted access switch ports. (Cat II impact)

Discussion

An example is a firewall that blocks all traffic rather than allowing all traffic when a firewall component fails (e.g., fail closed and do not forward traffic). This prevents an attacker from forcing a failure of the system to obtain access. Abort refers to stopping a program or function before it has finished naturally. The term abort refers to both requested and unexpected terminations.

Check Content

Review switch port configuration on all untrusted access ports. ! interface ethernet x/x/x spanning-tree root-protect stp-bpdu-guard ! If untrusted access switch ports are not configured for BPDU Guard, this is a finding.

Fix Text

Configure switch BPDU Guard enabled: 1. Global Config mode: Router# configure terminal 2. Interface level mode: Router(config)# interface ethernet 1/1/1 3. Implement stp-bpdu-guard: Router(config-if-e1000-1/1/1)# stp-bpdu-guard 4. Save: Router#write memory

Additional Identifiers

Rule ID: SV-273678r1110981_rule

Vulnerability ID: V-273678

Group Title: SRG-NET-000362-L2S-000022

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.