The layer 2 switch must not have the default VLAN assigned to any host-facing switch ports.

From Layer 2 Switch Security Requirements Guide

Part of SRG-NET-000512

Associated with: CCI-000366

SV-76693r1_rule The layer 2 switch must not have the default VLAN assigned to any host-facing switch ports.

Vulnerability discussion

In a VLAN-based network, switches use the default VLAN (i.e., VLAN 1) for in-band management and to communicate with other networking devices using Spanning-Tree Protocol (STP), Dynamic Trunking Protocol (DTP), VLAN Trunking Protocol (VTP), and Port Aggregation Protocol (PAgP)—all untagged traffic. As a consequence, the default VLAN may unwisely span the entire network if not appropriately pruned. If its scope is large enough, the risk of compromise can increase significantly.

Check content

Review the switch configurations and verify that no access switch ports have been assigned membership to the default VLAN (i.e., VLAN 1). A good method of ensuring there is not membership to the default VLAN is to have it disabled (i.e., shutdown) on the switch. This technique does not prevent switch control plane protocols such as CDP, DTP, VTP, and PAgP from using the default VLAN. If there are access switch ports assigned to the default VLAN, this is a finding.

Fix text

Remove the assignment of the default VLAN from all access switch ports.

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.

Powered by sagemincer