Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-3971 | NET-VLAN-004 | SV-3971r2_rule | Medium |
Description |
---|
In a VLAN-based network, switches use VLAN 1 as the default VLAN for in-band management and to communicate with other networking devices using Spanning-Tree Protocol (STP), Cisco Discovery Protocol (CDP), Dynamic Trunking Protocol (DTP), VLAN Trunking Protocol (VTP), and Port Aggregation Protocol (PAgP)--all untagged traffic. As a consequence, VLAN 1 may unwisely span the entire network if not appropriately pruned. If its scope is large enough, the risk of compromise can increase significantly. |
STIG | Date |
---|---|
Infrastructure L3 Switch Security Technical Implementation Guide | 2018-03-02 |
Check Text ( C-4028r3_chk ) |
---|
Review the device configuration and verify that access ports have not been assigned membership to the VLAN 1. If any access ports are found in VLAN 1, this is a finding. |
Fix Text (F-3904r2_fix) |
---|
Best practices for VLAN-based networks is to prune unnecessary ports from gaining access to VLAN 1 as well as the management VLAN, and to separate in-band management, device protocol, and data traffic. |