Details
In a VLAN-based network, switches use the default VLAN (i.e., VLAN 1) for in-band management and to communicate with other networking devices using Spanning-Tree Protocol (STP), Dynamic Trunking Protocol (DTP), VLAN Trunking Protocol (VTP), and Port Aggregation Protocol (PAgP) – all untagged traffic.
As a consequence, the default VLAN may unwisely span the entire network if not appropriately pruned. If its scope is large enough, the risk of compromise can increase significantly.
NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.
Solution
Remove the assignment of the default VLAN from all access switch ports.
Supportive Information
The following resource is also helpful.
This security hardening control applies to the following category of controls within NIST 800-53: Configuration Management.This control applies to the following type of system Cisco.
References
- 800-53|CM-6b.
- CAT|II
- CCI|CCI-000366
- Rule-ID|SV-220642r539671_rule
- STIG-ID|CISC-L2-000220
- STIG-Legacy|SV-110255
- STIG-Legacy|V-101151
- Vuln-ID|V-220642