Changes are coming to https://stigviewer.com.
Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey
The IAO/NSO will ensure disabled ports are placed in an unused VLAN (do not use VLAN1).
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-3973 | NET-VLAN-002 | SV-3973r1_rule | ECSC-1 | Low |
| Description |
|---|
| It is possible that a disabled port that is assigned to a user or management VLAN becomes enabled by accident or by an attacker and as a result gains access to that VLAN as a member. |
| STIG | Date |
|---|---|
| Infrastructure L3 Switch Secure Technical Implementation Guide - Cisco | 2013-10-08 |
Details
| Check Text ( C-4035r1_chk ) |
|---|
| Review the switch configurations and examine all interfaces. Each interface not in use should have membership to a VLAN that is not used for any other purpose. Below would be an example.interface FastEthernet0/5switchport mode accessswitchport access vlan 999shutdownFor older switches such as the Catalyst 1900, you would see something like the following:interface FastEthernet0/5vlan-membership static 999shutdown |
| Fix Text (F-3906r1_fix) |
|---|
| Assign all disabled ports to an unused VLAN. Do not use VLAN1. |