Rule ID
SV-273677r1111058_rule
Version
V1R1
CCIs
Spanning Tree Protocol (STP) does not provide any means for the network administrator to securely enforce the topology of the switched network. Any switch can be the root bridge in a network. However, a more optimal forwarding topology places the root bridge at a specific predetermined location. With the standard STP, any bridge in the network with a lower bridge ID takes the role of the root bridge. The administrator cannot enforce the position of the root bridge but can set the root bridge priority to 0 to secure the root bridge position. The root guard feature provides a way to enforce the root bridge placement in the network. If the bridge receives superior STP Bridge Protocol Data Units (BPDUs) on a root guard-enabled port, root guard moves this port to a root-inconsistent STP state and no traffic can be forwarded across this port while it is in this state. To enforce the position of the root bridge it is imperative that root guard is enabled on all ports where the root bridge should never appear.
Review port configuration to verify that Root Protect is enabled on ports connecting to access layer switches and hosts. interface ethernet x/x/x spanning-tree root-protect If Root Protect is not configured on ports connecting to access layer switches and hosts, this is a finding.
Configure ports connected to access switches and hosts to have Root Protect enabled. ICX(config--if-e1000-x/x/x)# spanning-tree root-protect