The Juniper EX switch must be configured to assign all disabled access interfaces to an unused VLAN.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-253966	JUEX-L2-000190	SV-253966r843931_rule		Medium

Description
It is possible that a disabled access interface that is assigned to a user or management VLAN becomes enabled by accident or by an attacker and as a result gains access to that VLAN as a member.

STIG	Date
Juniper EX Series Switches Layer 2 Switch Security Technical Implementation Guide	2022-08-31

Details

Check Text ( C-57418r843929_chk )
Review the switch configurations and examine all access interfaces. Each access interface not in use should have membership in an inactive VLAN that is not used for any purpose and is not allowed on any trunk links. Verify a VLAN is configured for unused interfaces. [edit vlans] vlan_disabled { vlan-id ; } Verify disabled interfaces are assigned to an unused VLAN either individually or via the "interface-range" command. Verify interfaces configured via "interface-range" are not also configured individually. Multiple interfaces simultaneously configured via interface-range. [edit interfaces] interface-range { member ; member-range to ; <<< Member ranges are contiguous from to inclusive disable; unit 0 { family ethernet-switching { vlan { members vlan_disabled; } } } } Individually configured: [edit interfaces] { disable; unit 0 { family ethernet-switching { vlan { members vlan_disabled; } } } } In this example, "vlan_disabled" is designated for all unused interfaces and must not be configured on any trunked interface. Verify the unused VLAN is NOT a member of any trunked interface as in the example below. [edit interfaces] { unit { family { ethernet-switching { interface-mode trunk; vlan { members [ vlan_name vlan_disabled ]; } } } } } If there are any access interfaces not in use and not in an inactive VLAN, this is a finding. Note: Access interfaces configured for 802.1x are exempt from this requirement.

Check Text ( C-57418r843929_chk )

Review the switch configurations and examine all access interfaces. Each access interface not in use should have membership in an inactive VLAN that is not used for any purpose and is not allowed on any trunk links.

Verify a VLAN is configured for unused interfaces.
[edit vlans]
vlan_disabled {
vlan-id ;
}

Verify disabled interfaces are assigned to an unused VLAN either individually or via the "interface-range" command. Verify interfaces configured via "interface-range" are not also configured individually.
Multiple interfaces simultaneously configured via interface-range.
[edit interfaces]
interface-range {
member ;
member-range to ; <<< Member ranges are contiguous from to inclusive
disable;
unit 0 {
family ethernet-switching {
vlan {
members vlan_disabled;
}
}
}
}

Individually configured:
[edit interfaces]
{
disable;
unit 0 {
family ethernet-switching {
vlan {
members vlan_disabled;
}
}
}
}

In this example, "vlan_disabled" is designated for all unused interfaces and must not be configured on any trunked interface. Verify the unused VLAN is NOT a member of any trunked interface as in the example below.
[edit interfaces]
{
unit {
family {
ethernet-switching {
interface-mode trunk;
vlan {
members [ vlan_name vlan_disabled ];
}
}
}
}
}
If there are any access interfaces not in use and not in an inactive VLAN, this is a finding.

Note: Access interfaces configured for 802.1x are exempt from this requirement.

Fix Text (F-57369r843930_fix)
Disable all access interfaces not in use and assign to an inactive VLAN. In this example, "vlan_disabled" is the name given to the VLAN for unused interfaces. This VLAN name can be any legal name. set vlans vlan_disabled vlan-id set interfaces interface-range member set interfaces interface-range member-range to set interfaces interface-range disable set interfaces interface-range unit 0 family ethernet-switching vlan members vlan_disabled set interfaces disable set interfaces unit 0 family ethernet-switching vlan members vlan_disabled Delete the unused VLAN from all trunked interfaces. delete interfaces unit 0 family ethernet-switching vlan members vlan_disabled Note: Switch ports configured for 802.1x are exempt from this requirement.

Fix Text (F-57369r843930_fix)

Disable all access interfaces not in use and assign to an inactive VLAN.

In this example, "vlan_disabled" is the name given to the VLAN for unused interfaces. This VLAN name can be any legal name.

set vlans vlan_disabled vlan-id

set interfaces interface-range member
set interfaces interface-range member-range to
set interfaces interface-range disable
set interfaces interface-range unit 0 family ethernet-switching vlan members vlan_disabled

set interfaces disable
set interfaces unit 0 family ethernet-switching vlan members vlan_disabled

Delete the unused VLAN from all trunked interfaces.

delete interfaces unit 0 family ethernet-switching vlan members vlan_disabled

Note: Switch ports configured for 802.1x are exempt from this requirement.