The RUCKUS ICX switch must enable Unidirectional Link Detection (UDLD) to protect against one-way connections.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-273687 | RCKS-L2S-000190 | SV-273687r1110990_rule | CCI-000366 | medium |
| Description | ||||
| In topologies where fiber optic interconnections are used, physical misconnections can occur that allow a link to appear to be up when there is a mismatched set of transmit/receive pairs. When such a physical misconfiguration occurs, protocols such as STP can cause network instability. UDLD is a layer 2 protocol that can detect these physical misconfigurations by verifying that traffic is flowing bidirectionally between neighbors. Ports with UDLD enabled periodically transmit packets to neighbor devices. If the packets are not echoed back within a specific time frame, the link is flagged as unidirectional and the interface is shut down. | ||||
| STIG | Date | |||
| RUCKUS ICX Layer 2 Switch Security Technical Implementation Guide | 2025-06-03 | |||
Related Frameworks
4 paths across 3 frameworks
Related Frameworks
NIST 800-531 mapping
CM-6
1.00
- DISA · V1R1 · disa_xccdf · related
- DISA · 2025-01-23 · disa_cci_list · equivalent
NIST 800-1712 mappings
3.4.1
1.00
- DISA · V1R1 · disa_xccdf · related
- DISA · 2025-01-23 · disa_cci_list · equivalent
- NIST · Rev 2 (Feb 2020, errata Jan 2021) · nist_800_171_app_d · equivalent
3.4.2
1.00
- DISA · V1R1 · disa_xccdf · related
- DISA · 2025-01-23 · disa_cci_list · equivalent
- NIST · Rev 2 (Feb 2020, errata Jan 2021) · nist_800_171_app_d · equivalent
CCI1 mapping
CCI-000366
1.00
- DISA · V1R1 · disa_xccdf · related
Details
Check Text (C-273687r1110990_chk)
Review configuration for UDLD configuration ("link keep-alive").
Router# show link-keepalive
Total link-keepalive enabled ports: 4
Keepalive Retries: 3 Keepalive Interval: 1 Sec.
Port Physical Link Logical Link State Link-vlan
1/1/1 up up FORWARDING 3
1/1/2 up up FORWARDING
1/1/3 down down DISABLED
1/1/4 up down DISABLED
If UDLD is not configured to protect against one-way connections, this is a finding.
Fix Text (F-77683r1110083_fix)
Configure the switch to enable UDLD to protect against one-way connections.
1. On a port for untagged control packets:
Router(config)# link-keepalive ethernet 1/1/1
2. Optional trunk group:
Router(config)# link-keepalive ethernet 1/1/1 ethernet 1/1/2
Note: To receive and send UDLD control packets tagged with a specific VLAN ID:
Router(config)# link-keepalive ethernet 1/1/18 vlan 22