The Arista MLS switch must have Root Guard enabled on all switch ports connecting to access layer switches and hosts.

An XCCDF Rule

Description

Spanning Tree Protocol (STP) does not provide any means for the network administrator to securely enforce the topology of the switched network. Any switch can be the root bridge in a network. However, a more optimal forwarding topology places the root bridge at a specific predetermined location. With the standard STP, any bridge in the network with a lower bridge ID takes the role of the root bridge. The administrator cannot enforce the position of the root bridge but can set the root bridge priority to 0 in an effort to secure the root bridge position.

ID: SV-255970r882252_rule
Version: ARST-L2-000050
Severity: Low
References: CCI-002385
Updated: 24 days ago

Remediation Templates

The Arista MLS switch must be configured for spanning-tree guard root mode on all ports connecting to the access layer interface.

Configure Arista MLS switch Ethernet interface with the following commands:

switch#config 
switch(config)interface Ethernet[X] switch(config-if-Et[X])#spanning-tree guard root
switch(config-if-Et[X])#exit 
!

The Arista MLS switch must have Root Guard enabled on all switch ports connecting to access layer switches and hosts.

Description

Remediation Templates

A Manual Procedure