CISC-L2-000220 – The Cisco switch must not have the default VLAN assigned to any host-facing switch ports.

Details

In a VLAN-based network, switches use the default VLAN (i.e., VLAN 1) for in-band management and to communicate with other networking devices using Spanning-Tree Protocol (STP), Dynamic Trunking Protocol (DTP), VLAN Trunking Protocol (VTP), and Port Aggregation Protocol (PAgP) – all untagged traffic.

As a consequence, the default VLAN may unwisely span the entire network if not appropriately pruned. If its scope is large enough, the risk of compromise can increase significantly.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

Remove the assignment of the default VLAN from all access switch ports.

Supportive Information

The following resource is also helpful.

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Cisco_IOS_Switch_Y21M07_STIG.zip

This security hardening control applies to the following category of controls within NIST 800-53: Configuration Management.This control applies to the following type of system Cisco.

References

800-53|CM-6b.
CAT|II
CCI|CCI-000366
Rule-ID|SV-220642r539671_rule
STIG-ID|CISC-L2-000220
STIG-Legacy|SV-110255
STIG-Legacy|V-101151
Vuln-ID|V-220642

Source

Tenable.com/audits

Updated on July 16, 2022

Was this article helpful?

Yes No

Details

Solution

Supportive Information

References

Source

Related Articles