Check: SRG-NET-000512-L2S-000008
Layer 2 Switch SRG:
SRG-NET-000512-L2S-000008
(in versions v2 r1 through v1 r1)
Title
The layer 2 switch must not have the default VLAN assigned to any host-facing switch ports. (Cat II impact)
Discussion
In a VLAN-based network, switches use the default VLAN (i.e., VLAN 1) for in-band management and to communicate with other networking devices using Spanning-Tree Protocol (STP), Dynamic Trunking Protocol (DTP), VLAN Trunking Protocol (VTP), and Port Aggregation Protocol (PAgP)—all untagged traffic. As a consequence, the default VLAN may unwisely span the entire network if not appropriately pruned. If its scope is large enough, the risk of compromise can increase significantly.
Check Content
Review the switch configurations and verify that no access switch ports have been assigned membership to the default VLAN (i.e., VLAN 1). A good method of ensuring there is not membership to the default VLAN is to have it disabled (i.e., shutdown) on the switch. This technique does not prevent switch control plane protocols such as CDP, DTP, VTP, and PAgP from using the default VLAN. If there are access switch ports assigned to the default VLAN, this is a finding.
Fix Text
Remove the assignment of the default VLAN from all access switch ports.
Additional Identifiers
Rule ID: SV-206667r385561_rule
Vulnerability ID: V-206667
Group Title: SRG-NET-000512
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000366 |
The organization implements the security configuration settings. |
Controls
Number | Title |
---|---|
CM-6 |
Configuration Settings |