Title

The Juniper EX switch must not use the default VLAN for management traffic. (Cat II impact)

Discussion

By default, all unassigned interfaces are placed into the default VLAN and if used for management, could unintentionally expose sensitive traffic or protected resources to unauthorized devices.

Check Content

Review the switch configuration and verify that the default VLAN is not used to access the switch for management. Verify access interfaces used for management are assigned to an appropriate VLAN as in the example below. [edit interfaces] <interface name> { unit 0 { family ethernet-switching { interface-mode access; vlan { members <vlan name>; } } } } If the default VLAN is being used to access the switch, this is a finding.

Fix Text

Configure the switch for management access to use a VLAN other than the default VLAN. set interfaces <interface name> unit 0 family ethernet-switching interface-mode access set interfaces <interface name> unit 0 family ethernet-switching vlan members <vlan name>

Additional Identifiers

Rule ID: SV-253969r843940_rule

Vulnerability ID: V-253969

Group Title: SRG-NET-000512-L2S-000010

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.