The IAO/NSO will ensure VLAN1 is not used for user VLANs.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-3971 | NET-VLAN-004 | SV-3971r1_rule | DCCS-1 | Medium |
| Description |
|---|
| In a VLAN-based network, switches use VLAN1 as the default VLAN for in-band management and to communicate with other networking devices using Spanning-Tree Protocol (STP), Cisco Discovery Protocol (CDP), Dynamic Trunking Protocol (DTP), VLAN Trunking Protocol (VTP), and Port Aggregation Protocol (PAgP)—all untagged traffic. As a consequence, VLAN 1 may unwisely span the entire network if not appropriately pruned. If its scope is large enough, the risk of compromise can increase significantly. |
| STIG | Date |
|---|---|
| Infrastructure L3 Switch Secure Technical Implementation Guide - Cisco | 2013-10-08 |
Details
| Check Text ( C-4028r1_chk ) |
|---|
| Review the switch configurations and verify that no access ports have been assigned membership to the VLAN 1. A good method of ensuring there is not membership to VLAN 1 is to have the following configured: interface VLAN1 no ip address shutdown This technique does not prevent switch control plane protocols such as CDP, DTP, VTP, and PAgP from using VLAN 1. A show vlan 1 command can be used to verify what ports are assigned to VLAN 1. |
| Fix Text (F-3904r1_fix) |
|---|
| Best practices for VLAN-based networks is to prune unnecessary ports from gaining access to VLAN1 as well as the management VLAN, and to separate in-band management, device protocol, and data traffic. |