Title

The RUCKUS ICX switch must disable the Multiple VLAN Registration Protocol (MVRP). (Cat II impact)

Discussion

MVRP provides central management of VLAN domains, thus reducing administration in a switched network. When configuring a new VLAN in MVRP, the VLAN is distributed through all switches in the domain. This reduces the need to configure the same VLAN everywhere. MVRP pruning preserves bandwidth by preventing VLAN traffic (unknown MAC, broadcast, multicast) from being sent down trunk links when not needed, that is, there are no access switch ports in neighboring switches belonging to such VLANs. An attack could allow unauthorized access to previously blocked VLANs or allow the addition of unauthorized switches into the domain. There is no authentication method available for MVRP to reduce this risk.

Check Content

Review the switch configuration to verify if MVRP is enabled. Router(config)#show mvrp No mvrp configuration found Router(config) If MVRP protocol response from show mvrp command indicates Enabled, this is a finding.

Fix Text

Configure the switch to disable Multiple VLAN Registration Protocol (MVRP). 1. Enter configuration mode: device1# configure terminal 2. Disable MVRP: Router(config)#no mvrp enable

Additional Identifiers

Rule ID: SV-273674r1110977_rule

Vulnerability ID: V-273674

Group Title: SRG-NET-000168-L2S-000019

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.