An error occurred:

Check: CACI-L2-000016

Cisco ACI Layer 2 Switch STIG: CACI-L2-000016 (in version v1 r0.1)

Title

The Cisco ACI layer 2 switch, for all 802.1q trunk links, must have the native VLAN assigned to an ID other than the default VLAN. (Cat II impact)

Discussion

VLAN hopping can be initiated by an attacker who has access to a switch port belonging to the same VLAN as the native VLAN of the trunk link connecting to another switch that the victim is connected to. If the attacker knows the victim's MAC address, it can forge a frame with two 802.1q tags and a layer 2 header with the destination address of the victim. Since the frame will ingress the switch from a port belonging to its native VLAN, the trunk port connecting to the victim's switch will simply remove the outer tag because native VLAN traffic is to be untagged. The switch will forward the frame on to the trunk link unaware of the inner tag with a VLAN ID of which the victim's switch port is a member.

Check Content

Review the switch configurations and examine all trunk links. Verify the native VLAN has been configured to a VLAN ID other than the ID of the default VLAN (i.e., VLAN 1) as shown in the example below: [apic1(config)#] show vlan dot1q tag native or [apic1(config)#] show interface If the native VLAN has the same VLAN ID as the default VLAN, this is a finding.

Fix Text

To ensure the integrity of the trunk link and prevent unauthorized access, the ID of the native VLAN of the trunk port must be changed from the default VLAN (i.e., VLAN 1) to its own unique VLAN ID. [apic1] configure terminal [apic1(config)#] interface <interface name> [apic1(config-if)#] vlan dot1q tag native or [apic1] configure terminal [apic1(config)#] interface {interface name} [apic1(config-if)#] switchport trunk native vlan <vlan-id> Note: An alternative to configuring a dedicated native VLAN is to ensure all native VLAN traffic is tagged. This will mitigate the risk of VLAN hopping because there will always be an outer tag for native traffic as it traverses an 802.1q trunk link. Note: The native VLAN ID must be the same on both ends of the trunk link; otherwise, traffic could accidentally leak between broadcast domains.

Additional Identifiers

Rule ID: SV-272044r1064447_rule

Vulnerability ID: V-272044

Group Title: SRG-NET-000512-L2S-000012

Expert Comments

Expert comments are only available to logged-in users.

CCIs

CCIs tied to check.
Number Definition
CCI-000366

Implement the security configuration settings.

Controls

Controls tied to check. These are derived from the CCIs shown above.
Number Title
CM-6

Configuration Settings