VLAN 1 must not be used for user VLANs.

From Perimeter L3 Switch Security Technical Implementation Guide

Part of VLAN 1 is being used as a user VLAN.

SV-3971r2_rule VLAN 1 must not be used for user VLANs.

Vulnerability discussion

In a VLAN-based network, switches use VLAN 1 as the default VLAN for in-band management and to communicate with other networking devices using Spanning-Tree Protocol (STP), Cisco Discovery Protocol (CDP), Dynamic Trunking Protocol (DTP), VLAN Trunking Protocol (VTP), and Port Aggregation Protocol (PAgP)--all untagged traffic. As a consequence, VLAN 1 may unwisely span the entire network if not appropriately pruned. If its scope is large enough, the risk of compromise can increase significantly.

Check content

Review the device configuration and verify that access ports have not been assigned membership to the VLAN 1. If any access ports are found in VLAN 1, this is a finding.

Fix text

Best practices for VLAN-based networks is to prune unnecessary ports from gaining access to VLAN 1 as well as the management VLAN, and to separate in-band management, device protocol, and data traffic.

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.

Powered by sagemincer