Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-5628 | NET-VLAN-006 | SV-5628r1_rule | ECSC-1 | Medium |
Description |
---|
All ports, including the internal sc0 interface, are configured by default to be members of VLAN 1. In a VLAN-based network, switches use VLAN1 as the default VLAN for in-band management and to communicate with other networking devices using Spanning-Tree Protocol (STP), Cisco Discovery Protocol (CDP), Dynamic Trunking Protocol (DTP), VLAN Trunking Protocol (VTP), and Port Aggregation Protocol (PAgP)all untagged traffic. As a consequence, VLAN 1 may unwisely span the entire network if not appropriately pruned. If its scope is large enough, the risk of compromise can increase significantly. |
STIG | Date |
---|---|
Layer 2 Switch Security Technical Implementation Guide | 2013-10-08 |
Check Text ( C-3767r1_chk ) |
---|
If switch clustering is used, review the configuration of the VLAN command switch and look for the command cluster management-vlan. The new management VLAN ID follows this command. For unclustered switches, review the configuration of each switch. All ports, including the internal management interface (sc0), are configured by default to be members of VLAN 1. The management VLAN can be identified by its switch virtual interface (SVI) defined that contains the IP address for the internal management interface. Note the IP address defined for the sc0 interface. The IP address of the sc0 interface can be accessed only by hosts connected to ports that belong to the management VLAN. Below is an example of disabling VLAN 1 and creating an SVI that could be used for the management VLAN. interface VLAN1 no ip address shutdown interface VLAN10 ip address 10.0.1.10 255.255.255.0 no shutdown Note: The management VLAN can also be defined by the set command when configuring the IP address of the Sc0. set interface sc0 10.0.1.10 255.255.255.0 |
Fix Text (F-5539r1_fix) |
---|
Best practices for VLAN-based networks is create a dedicated management VLAN, prune unnecessary ports from gaining access to VLAN1 as well as the management VLAN, and to separate in-band management, device protocol, and data traffic. |