Spanning Tree: enable root-guard

Information

A feature that can be deployed to prevent an attacker from spoofing his or her system as the root bridge by sending announcements with a lower bridge priority and so becoming the root. The 'root-guard' feature allows an operator to block certain interfaces from becoming the root. This could be enabled, for example, on customer facing (untrusted) SAPs.

Solution

Run the following command on the device to configure root-guard: configure service vpls sap stp root-guard

See Also

https://infoproducts.alcatel-lucent.com/aces/cgi-bin/dbaccessfilename.cgi/9305050101_V1_SR-OS Security Best Practices v2.0.pdf

Item Details

Category: SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|SC-5

Plugin: Alcatel

Control ID: f822fa815923a0c89ec1fcc42318472c2e64cd9e93c94ea38689101ff73c63ec