An error occurred:

Check: RCKS-L2S-000210

RUCKUS ICX Layer 2 Switch STIG: RCKS-L2S-000210 (in version v1 r1)

Title

The RUCKUS ICX switch must have all disabled switch ports assigned to an unused VLAN. (Cat II impact)

Discussion

It is possible that a disabled port assigned to a user or management VLAN becomes enabled by accident or by an attacker and as a result gains access to that VLAN as a member.

Check Content

Review the switch configurations and examine all access switch ports. Each access switch port not in use must have membership to an inactive VLAN that is not used for any purpose and is not allowed on any trunk links. 1. Show the VLAN. Router#show vlan 888 PORT-VLAN 888, Name [None], Priority level0, Off Untagged Ports: (U1/M1) 5 6 7 8 9 10 11 12 13 14 15 16 Untagged Ports: (U1/M1) 17 18 19 20 Tagged Ports: None Mac-Vlan Ports: None Monitoring: Disabled SSH@ICX7550-48ZP-Router# 2. Confirm unused interfaces are disabled. Router#show interface br ethernet 1/1/5 to 1/1/20 Port Link State Dupl Speed Trunk Tag Pvid Pri MAC Name 1/1/5 Disable None None None None No 888 0 28b3.7129.8e5e 1/1/6 Disable None None None None No 888 0 28b3.7129.8e5f 1/1/7 Disable None None None None No 888 0 28b3.7129.8e60 1/1/8 Disable None None None None No 888 0 28b3.7129.8e61 ... If unused ports are not disabled and assigned to an unused VLAN, this is a finding.

Fix Text

Assign all switch ports not in use to an inactive VLAN. Create unused VLAN: 1. Configure the VLAN. ICX(config)#vlan 888 name Unused_ports 2. Add unused ports to VLAN. ICX(config-vlan-888)#untag ethernet 1/1/5 to 1/1/20 Added untagged port(s) ethernet 1/1/5 to 1/1/20 to port-vlan 888. 3. Shut down all unused ports. ICX(config)#interface ethernet 1/1/5 to 1/1/20 ICX(config)#interface ethernet 1/1/5 to 1/1/20 4. Disable unused ports. ICX(config-mif-1/1/5-1/1/20)#disable ICX(config-mif-1/1/5-1/1/20)# Alternative approach: 1. Configure default VLAN ID and view assigned ports. ICX(config)# default-vlan-id 4095 ICX(config)# show vlan 4095 Total PORT-VLAN entries: 20 Maximum PORT-VLAN entries: 1024 Legend: [Stk=Stack-Id, S=Slot] PORT-VLAN 4095, Name DEFAULT-VLAN, Priority level0, On Untagged Ports: (U1/M1) 5 6 7 8 9 10 11 12 13 14 15 16 Untagged Ports: (U1/M1) 17 18 19 20 Tagged Ports: None Mac-Vlan Ports: None Monitoring: Disabled 2. Disable displayed ports. ICX(config)# interface ethernet 1/1/5 to 1/1/20 ICX(config-mif-1/1/5-1/1/20)# disable

Additional Identifiers

Rule ID: SV-273688r1111017_rule

Vulnerability ID: V-273688

Group Title: SRG-NET-000512-L2S-000007

Expert Comments

Expert comments are only available to logged-in users.

CCIs

CCIs tied to check.
Number Definition
CCI-000366

Implement the security configuration settings.

Controls

Controls tied to check. These are derived from the CCIs shown above.
Number Title
CM-6

Configuration Settings