CISC-L2-000210 – The Cisco switch must have all disabled switch ports assigned to an unused VLAN.

Details

It is possible that a disabled port that is assigned to a user or management VLAN becomes enabled by accident or by an attacker and as a result gains access to that VLAN as a member.

NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.

Solution

Assign all switch ports not in use to an inactive VLAN.

Step 1: Assign the disabled interfaces to an inactive VLAN.

SW1(config)# int e1/81-128
SW1(config-if-range)# switchport access vlan 999
SW1(config-if-range)# end

Step 2: Configure trunk links to not allow traffic from the inactive VLAN.

SW1(config-if)# switchport trunk allowed vlan except 999
SW1(config-if)# end

Supportive Information

The following resource is also helpful.

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Cisco_NX-OS_Switch_Y21M10_STIG.zip

This security hardening control applies to the following category of controls within NIST 800-53: Configuration Management.This control applies to the following type of system Cisco.

References

800-53|CM-6b.
CAT|II
CCI|CCI-000366
Rule-ID|SV-110355r1_rule
STIG-ID|CISC-L2-000210
Vuln-ID|V-101251

Source

Tenable.com/audits

Updated on July 16, 2022

Was this article helpful?

Yes No

Details

Solution

Supportive Information

References

Source

Related Articles