Navigate

Check: SRG-NET-000512-L2S-000007

Layer 2 Switch SRG: SRG-NET-000512-L2S-000007 (in versions v2 r1 through v1 r1)

Title

The layer 2 switch must have all disabled switch ports assigned to an unused VLAN. (Cat II impact)

Discussion

It is possible that a disabled port that is assigned to a user or management VLAN becomes enabled by accident or by an attacker and as a result gains access to that VLAN as a member.

Check Content

Review the switch configurations and examine all access switch ports. Each access switch port not in use should have membership to an inactive VLAN that is not used for any purpose and is not allowed on any trunk links. If there are any access switch ports not in use and not in an inactive VLAN, this is a finding. Note: Switch ports configured for 802.1x are exempt from this requirement.

Fix Text

Assign all switch ports not in use to an inactive VLAN. Note: Switch ports configured for 802.1x are exempt from this requirement.

Additional Identifiers

Rule ID: SV-206666r385561_rule

Vulnerability ID: V-206666

Group Title: SRG-NET-000512

Expert Comments

Expert comments are only available to logged-in users.

CCIs

CCIs tied to check.

Number	Definition
CCI-000366	The organization implements the security configuration settings.

Controls

Controls tied to check. These are derived from the CCIs shown above.

Number	Title
CM-6	Configuration Settings