Title

The layer 2 switch must not use the default VLAN for management traffic. (Cat II impact)

Discussion

Switches use the default VLAN (i.e., VLAN 1) for in-band management and to communicate with directly connected switches using Spanning-Tree Protocol (STP), Dynamic Trunking Protocol (DTP), VLAN Trunking Protocol (VTP), and Port Aggregation Protocol (PAgP)—all untagged traffic. As a consequence, the default VLAN may unwisely span the entire network if not appropriately pruned. If its scope is large enough, the risk of compromise can increase significantly.

Check Content

Review the switch configuration and verify that the default VLAN is not used to access the switch for management. If the default VLAN is being used to access the switch, this is a finding.

Fix Text

Configure the switch for management access to use a VLAN other than the default VLAN.

Additional Identifiers

Rule ID: SV-206669r385561_rule

Vulnerability ID: V-206669

Group Title: SRG-NET-000512

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.