Rule ID
SV-253956r843901_rule
Version
V2R4
CCIs
CCI-002385
If a rogue switch is introduced into the topology and transmits a Bridge Protocol Data Unit (BPDU) with a lower bridge priority than the existing root bridge, it will become the new root bridge and cause a topology change, rendering the network in a suboptimal state. BPDU Protection allows network designers to enforce the STP domain borders and keep the active topology predictable. The devices behind interfaces that have BPDU Protection enabled are not able to influence the STP topology. At the reception of BPDUs, BPDU Protection disables the port and logs the condition.
Review the switch configuration to verify that BPDU Protection is enabled on all user-facing or untrusted access switch interfaces.
BPDU Protection discards all BPDUs received on a configured interface and stops forwarding on that interface. In contrast, Root Protection discards only superior root BPDUs but accepts remaining BPDU types. Verify BDPU Protection (bpdu-block-on-edge) and the edge interfaces where no BPDUs are expected.
[protocols]
mstp {
bpdu-block-on-edge;
interface <interface name> {
edge;
}
}
Note: Configuring BPDU Protection and Root Protection on the same interface is supported, but redundant because BPDU protection includes Root Protection.
If the switch has not enabled BPDU Protection, this is a finding.Configure the switch to have BPDU Protection enabled on all user-facing or untrusted access switch interfaces. set protocols mstp bpdu-block-on-edge set protocols mstp interface <interface name> edge Note: Configuring BPDU Protection and Root Protection on the same interface is supported, but redundant because BPDU protection includes Root Protection.