STIGQter: STIG Summary: Cisco IOS XE Switch L2S Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 23 Apr 2021:

The Cisco switch must have BPDU Guard enabled on all user-facing or untrusted access switch ports.

DISA Rule

SV-220656r539671_rule

Vulnerability Number

V-220656

Group Title

SRG-NET-000362-L2S-000022

Rule Version

CISC-L2-000100

Severity

CAT II

CCI(s)

• CCI-002385 - The information system protects against or limits the effects of organization-defined types of denial of service attacks by employing organization-defined security safeguards.

Weight

10

Fix Recommendation

Ensure that BPDU Guard is enabled on all user-facing or untrusted access switch ports as shown in the configuration example below:

SW1(config)#int range g0/0 - 9
SW1(config-if-range)#spanning-tree bpduguard enable

Note: BPDU guard can also be enabled globally on all Port Fast-enabled ports by using the spanning-tree portfast bpduguard default command.

Check Contents

Review the switch configuration to verify that BPDU Guard is enabled on all user-facing or untrusted access switch ports as shown in the configuration example below:

interface GigabitEthernet0/0
spanning-tree bpduguard enable
!
interface GigabitEthernet0/1
spanning-tree bpduguard enable
…
…
…
interface GigabitEthernet0/9
spanning-tree bpduguard enable

If the switch has not enabled BPDU Guard, this is a finding.

Vulnerability Number

V-220656

Documentable

False

Rule Version

CISC-L2-000100

Severity Override Guidance

Review the switch configuration to verify that BPDU Guard is enabled on all user-facing or untrusted access switch ports as shown in the configuration example below:

interface GigabitEthernet0/0
spanning-tree bpduguard enable
!
interface GigabitEthernet0/1
spanning-tree bpduguard enable
…
…
…
interface GigabitEthernet0/9
spanning-tree bpduguard enable

If the switch has not enabled BPDU Guard, this is a finding.

Check Content Reference

M

Target Key

4071

Comments