The RUCKUS ICX switch must implement Rapid Spanning Tree Protocol (STP) where VLANs span multiple switches with redundant links.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-273686 | RCKS-L2S-000180 | SV-273686r1110989_rule | CCI-000366 | medium |
| Description | ||||
| STP is implemented on bridges and switches to prevent layer 2 loops when a broadcast domain spans multiple bridges and switches and when redundant links are provisioned to provide high availability in case of link failures. Convergence time can be significantly reduced using Rapid STP (802.1w) instead of STP (802.1d), resulting in improved availability. Rapid STP should be deployed by implementing either Rapid Per-VLAN-Spanning-Tree (Rapid-PVST) or Multiple Spanning-Tree Protocol (MSTP), the latter scales much better when there are many VLANs. | ||||
| STIG | Date | |||
| RUCKUS ICX Layer 2 Switch Security Technical Implementation Guide | 2025-06-03 | |||
Related Frameworks
4 paths across 3 frameworks
Related Frameworks
NIST 800-531 mapping
CM-6
1.00
- DISA · V1R1 · disa_xccdf · related
- DISA · 2025-01-23 · disa_cci_list · equivalent
NIST 800-1712 mappings
3.4.1
1.00
- DISA · V1R1 · disa_xccdf · related
- DISA · 2025-01-23 · disa_cci_list · equivalent
- NIST · Rev 2 (Feb 2020, errata Jan 2021) · nist_800_171_app_d · equivalent
3.4.2
1.00
- DISA · V1R1 · disa_xccdf · related
- DISA · 2025-01-23 · disa_cci_list · equivalent
- NIST · Rev 2 (Feb 2020, errata Jan 2021) · nist_800_171_app_d · equivalent
CCI1 mapping
CCI-000366
1.00
- DISA · V1R1 · disa_xccdf · related
Details
Check Text (C-273686r1110989_chk)
Review configuration for VLANs that are not set for 802.1w (Rapid Spanning Tree).
vlan 10 name testing by port
tagged ethernet 1/1/17
untagged ethernet 1/1/18
spanning-tree 802-1w
!
If 802.1w is not configured on VLANs that span multiple switches with redundant links, this is a finding.
Fix Text (F-77682r1110080_fix)
Configure Rapid STP at the access and distribution layers where VLANs span multiple switches.
VLAN:
Router# configure terminal
Router (config)# vlan 10
Router(config-vlan-10)#spanning-tree 802-1w
(config-vlan-10)# spanning-tree 802-1w priority 256
Optional Per Port:
Router#configure terminal
Router(config) interface ethernet 1/1/1
Router(config-if-e2500-1/1/1) spanning-tree 802-1w admin-pt2pt-mac
<OR>
spanning-tree 802-1w admin-edge-port