The RUCKUS ICX switch must enable Unidirectional Link Detection (UDLD) to protect against one-way connections.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-273687 | RCKS-L2S-000190 | SV-273687r1110990_rule | CCI-000366 | medium |
| Description | ||||
| In topologies where fiber optic interconnections are used, physical misconnections can occur that allow a link to appear to be up when there is a mismatched set of transmit/receive pairs. When such a physical misconfiguration occurs, protocols such as STP can cause network instability. UDLD is a layer 2 protocol that can detect these physical misconfigurations by verifying that traffic is flowing bidirectionally between neighbors. Ports with UDLD enabled periodically transmit packets to neighbor devices. If the packets are not echoed back within a specific time frame, the link is flagged as unidirectional and the interface is shut down. | ||||
| STIG | Date | |||
| RUCKUS ICX Layer 2 Switch Security Technical Implementation Guide | 2025-06-03 | |||
Details
Check Text (C-273687r1110990_chk)
Review configuration for UDLD configuration ("link keep-alive").
Router# show link-keepalive
Total link-keepalive enabled ports: 4
Keepalive Retries: 3 Keepalive Interval: 1 Sec.
Port Physical Link Logical Link State Link-vlan
1/1/1 up up FORWARDING 3
1/1/2 up up FORWARDING
1/1/3 down down DISABLED
1/1/4 up down DISABLED
If UDLD is not configured to protect against one-way connections, this is a finding.
Fix Text (F-77683r1110083_fix)
Configure the switch to enable UDLD to protect against one-way connections.
1. On a port for untagged control packets:
Router(config)# link-keepalive ethernet 1/1/1
2. Optional trunk group:
Router(config)# link-keepalive ethernet 1/1/1 ethernet 1/1/2
Note: To receive and send UDLD control packets tagged with a specific VLAN ID:
Router(config)# link-keepalive ethernet 1/1/18 vlan 22