Title

The RUCKUS ICX switch must not use the default VLAN for management traffic. (Cat II impact)

Discussion

Switches use the default VLAN (i.e., VLAN 1) for in-band management and to communicate with directly connected switches using Spanning-Tree Protocol (STP), Dynamic Trunking Protocol (DTP), VLAN Trunking Protocol (VTP), and Port Aggregation Protocol (PAgP)—all untagged traffic. Therefore, the default VLAN may unwisely span the entire network if not appropriately pruned. If its scope is large enough, the risk of compromise can increase significantly.

Check Content

Review switch configuration to confirm the management VLAN is designated and is not VLAN 1. ! vlan 235 name mgmt-vlan tagged ethernet 1/2/1 ! If the management VLAN is the same as the default VLAN or VLAN 1, this is a finding.

Fix Text

Configure a VLAN specifically for management use: device(config)# vlan 235 name mgmt-vlan device(config-vlan-235)# tag ethernet 1/2/1 device(config-vlan-235)# interface ve 235 device(config-vif-235)# ip addr x.x.x.x/x Note: For L2 images prior to release 10.0, the management VLAN can be configured per the example below. The default-gateway statement sets a metric of 1. device(config)# vlan 235 name mgmt-vlan device(config-vlan-235)# tag ethernet 1/2/1 device(config-vlan-235)# management-vlan device(config-vlan-235)# default-gateway x.x.x.x 1 device(config-vlan-235)# exit device(config)# ip addr x.x.x.x/x

Additional Identifiers

Rule ID: SV-273691r1111060_rule

Vulnerability ID: V-273691

Group Title: SRG-NET-000512-L2S-000010

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.