Details
Switches use the default VLAN (i.e., VLAN 1) for in-band management and to communicate with directly connected switches using Spanning-Tree Protocol (STP), Dynamic Trunking Protocol (DTP), VLAN Trunking Protocol (VTP), and Port Aggregation Protocol (PAgP) – all untagged traffic. As a consequence, the default VLAN may unwisely span the entire network if not appropriately pruned. If its scope is large enough, the risk of compromise can increase significantly.
NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.
Solution
Configure the switch for management access to use a VLAN other than the default VLAN:
SW1(config)#int vlan 22
SW1(config-if)#ip add 10.1.22.3 255.255.255.0
SW1(config-if)#no shut
Supportive Information
The following resource is also helpful.
This security hardening control applies to the following category of controls within NIST 800-53: Configuration Management.This control applies to the following type of system Cisco.
References
- 800-53|CM-6b.
- CAT|II
- CCI|CCI-000366
- Rule-ID|SV-220644r539671_rule
- STIG-ID|CISC-L2-000240
- STIG-Legacy|SV-110259
- STIG-Legacy|V-101155
- Vuln-ID|V-220644