Details
The IAO/NSO will ensure VLAN1 is not used for user VLANs.
In a VLAN-based network, switches use VLAN1 as the default VLAN for in-band management and to communicate with other networking devices using Spanning-Tree Protocol (STP), Cisco Discovery Protocol (CDP), Dynamic Trunking Protocol (DTP), VLAN Trunking Protocol (VTP), and Port Aggregation Protocol (PAgP)-all untagged traffic. As a consequence, VLAN 1 may unwisely span the entire network if not appropriately pruned. If its scope is large enough, the risk of compromise can increase significantly.
NOTE: This check is derived from the L3 switch guidance, if the scan target is a router the check can be ignored.
Solution
Best practices for VLAN-based networks is to prune unnecessary ports from gaining access to VLAN1 as well as the management VLAN, and to separate in-band management, device protocol, and data traffic.
Supportive Information
The following resource is also helpful.
This security hardening control applies to the following category of controls within NIST 800-53: Access Control.This control applies to the following type of system Cisco.
References
- 800-53|AC-4(21)
- CAT|II
- Rule-ID|SV-3971r2_rule
- STIG-ID|NET-VLAN-004
- Vuln-ID|V-3971