7
Question
Command or method
Result
Remarks
configured as edge ports?
interface
□
Not OK
□
Not related
the
display
current-configuratio
n interface
command
contains the "
stp
edged-port enable
" string
for ports connected to
end-user devices.
As a best practice,
configure ports connected
to end-user devices (PCs,
for example) as edge ports,
or disable the spanning
tree feature on the ports.
Is the spanning tree
feature disabled on ports
connected to devices that
do not support spanning
tree protocols?
display
current-configuration
interface
□
OK
□
Not OK
□
Not related
Disable the spanning tree
feature on ports connected
to devices that do not
support
spanning tree
protocols. Make sure the
output from the
display
current-configuratio
n interface
command
contains the "
undo stp
enable
" string for these
ports.
Is the device running
MSTP, STP, or RSTP, and
working
with a
Cisco
PVST+ device?
display stp
□
OK
□
Not OK
□
Not related
As a best practice to avoid
interoperability issues, set
up a Layer 3 connection to
the Cisco device.
Do the topologies of MSTIs
meet the design?
Are there as few
overlapping paths as
possible among MSTIs?
display
current-configuration
interface
□
OK
□
Not OK
□
Not related
If the topologies deviate
from the design, reassign
ports to VLANs and revise
the VLAN and instance
mappings.
For optimal load balancing,
plan VLANs and
VLAN-to-instance
mappings
to minimize
overlapping paths among
different MSTIs.
Does a TC attack exist to
cause frequent STP status
changes on any ports?
display stp tc
display stp history
□
OK
□
Not OK
□
Not related
Examine the following
items in the command
output for TC attacks:
•
Incoming and
outgoing
TC/TCN
BPDU statistics.
•
Historical port role
calculation
information.
There is a risk of TC attack
if frequent STP status
changes occur on a stable
network.
Make sure you have
configured the following
settings:
•
Configure
ports
connected to end-user
devices as edge ports,