Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-220667 | CISC-L2-000210 | SV-220667r539671_rule | Medium |
Description |
---|
It is possible that a disabled port that is assigned to a user or management VLAN becomes enabled by accident or by an attacker and as a result gains access to that VLAN as a member. |
STIG | Date |
---|---|
Cisco IOS XE Switch L2S Security Technical Implementation Guide | 2022-09-12 |
Check Text ( C-22382r507549_chk ) |
---|
Step 1: Review the switch configurations and examine all access switch ports. Each access switch port not in use should have membership to an inactive VLAN. interface GigabitEthernet0/0 switchport access vlan 999 shutdown ! interface GigabitEthernet0/1 switchport access vlan 999 shutdown … … … interface GigabitEthernet0/9 switchport access vlan 999 shutdown Step 2: Verify that traffic from the inactive VLAN is not allowed on any trunk links as shown in the example below: interface GigabitEthernet1/1 switchport trunk allowed vlan 1-998,1000-4094 switchport trunk encapsulation dot1q switchport mode trunk Note: Switch ports configured for 802.1x are exempt from this requirement. If there are any access switch ports not in use and not in an inactive VLAN, this is a finding. |
Fix Text (F-22371r507550_fix) |
---|
Assign all switch ports not in use to an inactive VLAN. Step 1: Assign the disabled interfaces to an inactive VLAN. SW3(config)#int range g0/0 – 9 SW3(config-if-range)# switchport access vlan 999 Step 2: Configure trunk links to not allow traffic from the inactive VLAN. SW3(config)#int g1/1 SW3(config-if)#switchport trunk allowed vlan except 999 |