JUEX-L2-000090 - The Juniper EX switch must be configured to enable BPDU Protection on all user-facing or untrusted access switch ports.

Information

If a rogue switch is introduced into the topology and transmits a Bridge Protocol Data Unit (BPDU) with a lower bridge priority than the existing root bridge, it will become the new root bridge and cause a topology change, rendering the network in a suboptimal state. BPDU Protection allows network designers to enforce the STP domain borders and keep the active topology predictable. The devices behind interfaces that have BPDU Protection enabled are not able to influence the STP topology. At the reception of BPDUs, BPDU Protection disables the port and logs the condition.

NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.

Solution

Configure the switch to have BPDU Protection enabled on all user-facing or untrusted access switch interfaces.

set protocols mstp bpdu-block-on-edge
set protocols mstp interface <interface name> edge

Note: Configuring BPDU Protection and Root Protection on the same interface is supported, but redundant because BPDU protection includes Root Protection.

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Juniper_EX_Switches_Y24M10_STIG.zip

Item Details

Category: SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|SC-5, CAT|II, CCI|CCI-002385, Rule-ID|SV-253956r843901_rule, STIG-ID|JUEX-L2-000090, Vuln-ID|V-253956

Plugin: Juniper

Control ID: 2d651493ad869d0a2bf1e62b7c01b55e32162fe7840598c91e4c2bce83849c82