The IAO/NSO will ensure disabled ports are placed in an unused VLAN (do not use VLAN1).

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-3973	NET-VLAN-002	SV-3973r1_rule	ECSC-1	Low

Description
It is possible that a disabled port that is assigned to a user or management VLAN becomes enabled by accident or by an attacker and as a result gains access to that VLAN as a member.

STIG	Date
Infrastructure L3 Switch Secure Technical Implementation Guide - Cisco	2013-10-08

Details

Check Text ( C-4035r1_chk )
Review the switch configurations and examine all interfaces. Each interface not in use should have membership to a VLAN that is not used for any other purpose. Below would be an example.interface FastEthernet0/5switchport mode accessswitchport access vlan 999shutdownFor older switches such as the Catalyst 1900, you would see something like the following:interface FastEthernet0/5vlan-membership static 999shutdown

Check Text ( C-4035r1_chk )

Review the switch configurations and examine all interfaces. Each interface not in use should have membership to a VLAN that is not used for any other purpose. Below would be an example.interface FastEthernet0/5switchport mode accessswitchport access vlan 999shutdownFor older switches such as the Catalyst 1900, you would see something like the following:interface FastEthernet0/5vlan-membership static 999shutdown

Fix Text (F-3906r1_fix)
Assign all disabled ports to an unused VLAN. Do not use VLAN1.