A dedicated management VLAN or VLANs must be configured to keep management traffic separate from user data and control plane traffic.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-5628 | NET-VLAN-006 | SV-5628r2_rule | Medium |
| Description |
|---|
| All ports, including the internal sc0 interface, are configured by default to be members of VLAN 1. In a VLAN-based network, switches use VLAN 1 as the default VLAN for in-band management and to communicate with other networking devices using Spanning-Tree Protocol (STP), Cisco Discovery Protocol (CDP), Dynamic Trunking Protocol (DTP), VLAN Trunking Protocol (VTP), and Port Aggregation Protocol (PAgP) all untagged traffic. As a consequence, VLAN 1 may unwisely span the entire network if not appropriately pruned. If its scope is large enough, the risk of compromise can increase significantly. |
| STIG | Date |
|---|---|
| Layer 2 Switch Security Technical Implementation Guide - Cisco | 2019-01-09 |
Details
| Check Text ( C-3767r3_chk ) |
|---|
| Review the device configurations to determine if a dedicated VLAN(s) have been implemented for the management network. VLAN 1 must not be used. If a dedicated VLAN or VLANs have not been established for the management network, this is a finding. If VLAN 1 is used for management, this is also a finding. |
| Fix Text (F-5539r2_fix) |
|---|
| Best practices for VLAN-based networks is create a dedicated management VLAN, prune unnecessary ports from gaining access to VLAN 1 as well as the management VLAN, and to separate in-band management, device protocol, and data traffic. |