UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

VLAN 1 must not be used for user VLANs.


Overview

Finding ID Version Rule ID IA Controls Severity
V-3971 NET-VLAN-004 SV-3971r2_rule Medium
Description
In a VLAN-based network, switches use VLAN 1 as the default VLAN for in-band management and to communicate with other networking devices using Spanning-Tree Protocol (STP), Cisco Discovery Protocol (CDP), Dynamic Trunking Protocol (DTP), VLAN Trunking Protocol (VTP), and Port Aggregation Protocol (PAgP)--all untagged traffic. As a consequence, VLAN 1 may unwisely span the entire network if not appropriately pruned. If its scope is large enough, the risk of compromise can increase significantly.
STIG Date
Infrastructure L3 Switch Security Technical Implementation Guide 2018-03-02

Details

Check Text ( C-4028r3_chk )
Review the device configuration and verify that access ports have not been assigned membership to the VLAN 1.

If any access ports are found in VLAN 1, this is a finding.
Fix Text (F-3904r2_fix)
Best practices for VLAN-based networks is to prune unnecessary ports from gaining access to VLAN 1 as well as the management VLAN, and to separate in-band management, device protocol, and data traffic.