UCF STIG Viewer Logo

The Juniper EX switch must not have a native VLAN ID assigned, or have a unique native VLAN ID, for all 802.1q trunk links.


Overview

Finding ID Version Rule ID IA Controls Severity
V-253971 JUEX-L2-000240 SV-253971r843946_rule Medium
Description
By default, Juniper switches do not assign a native VLAN to any trunked interface. Allowing trunked interfaces to accept untagged data packets may unintentionally expose VLANs to unauthorized devices that could result in network exploration, unauthorized resource access, or a DoS condition. If a network function requires a native VLAN it must be unique.
STIG Date
Juniper EX Series Switches Layer 2 Switch Security Technical Implementation Guide 2022-08-31

Details

Check Text ( C-57423r843944_chk )
Review the switch configuration and examine all trunked interfaces to verify no native VLAN ID is assigned. If a native VLAN has been assigned, verify the VLAN is unique.

By default, there are no native VLANs assigned to any trunked interface.

Verify trunked interface do not have a native VLAN ID configured.
[edit interfaces]
{
unit 0 {
family ethernet-switching {
interface-mode trunk;
vlan {
members [ vlan_name ... vlan_name ];
}
}
}
}

If trunked interfaces require a native VLAN, verify it is unique.
[edit interfaces]
{
native-vlan-id ;
unit 0 {
family ethernet-switching {
interface-mode trunk;
vlan {
members [ vlan_name ... vlan_name ];
}
}
}
}
Note: By default, Juniper switches do not automatically assign a native VLAN. Configuring an interface with "interface-mode trunk" does not automatically assign the default VLAN.

Verify any VLAN assigned as native for any trunked interface has been configured.
[edit vlans]
native_vlan_name {
vlan-id ;
}

If trunked interfaces do not have a native VLAN ID configured, this is not a finding.

If a native VLAN is configured and does not have a unique VLAN ID, this is a finding.
Fix Text (F-57374r843945_fix)
To ensure the integrity of the trunk link, either remove the native VLAN ID or configure the native VLAN ID with a unique value. If used, the native VLAN ID must be the same on both ends of the trunk link.

Example deleting a native VLAN ID:
delete interfaces native-vlan-id

Example configuring a native VLAN ID:
set interfaces native-vlan-id

Example configuring a VLAN used as native for any trunked interface:
set vlans vlan_name vlan-id 30