UCF STIG Viewer Logo

The Cisco switch must not use the default VLAN for management traffic.


Overview

Finding ID Version Rule ID IA Controls Severity
V-101257 CISC-L2-000240 SV-110361r1_rule Medium
Description
Switches use the default VLAN (i.e., VLAN 1) for in-band management and to communicate with directly connected switches using Spanning-Tree Protocol (STP), Dynamic Trunking Protocol (DTP), VLAN Trunking Protocol (VTP), and Port Aggregation Protocol (PAgP)—all untagged traffic. As a consequence, the default VLAN may unwisely span the entire network if not appropriately pruned. If its scope is large enough, the risk of compromise can increase significantly.
STIG Date
Cisco NX-OS Switch L2S Security Technical Implementation Guide 2020-05-07

Details

Check Text ( C-100137r1_chk )
Review the switch configuration and verify that the default VLAN is not used to access the switch for management.

interface Vlan1

interface Vlan44
description Management VLAN
ip address 10.1.12.1/24

If the default VLAN is being used for management access to the switch, this is a finding.
Fix Text (F-106961r1_fix)
Configure the switch for management access to use a VLAN other than the default VLAN.

SW1(config)# interface vlan 44
SW1(config-if)# ip add 10.1.12.1/24
SW1(config-if)# end