Details
VLAN 1 must be pruned from all trunk and access ports that do not require it.
VLAN 1 is a special VLAN that tags and handles most of the control plane traffic such as Spanning-Tree Protocol (STP), Cisco Discovery Protocol (CDP), Dynamic Trunking Protocol (DTP), VLAN Trunking Protocol (VTP), and Port Aggregation Protocol (PAgP) all VLAN 1 tagged traffic. VLAN 1 is enabled on all trunks and ports by default. With larger campus networks, care needs to be taken about the diameter of the VLAN 1 STP domain; instability in one part of the network could affect VLAN 1, thereby influencing control-plane stability and therefore STP stability for all other VLANs.
NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.
Review the device configuration to determine if VLAN 1 is pruned from all trunk and access switch ports. If VLAN 1 is not pruned from trunk or access switch ports where it’s not required, this is a finding.
Solution
Best practice for VLAN-based networks is to prune unnecessary ports from gaining access to VLAN 1 and insure that it does not traverse trunks not requiring VLAN 1 traffic.
Supportive Information
The following resource is also helpful.
This control applies to the following type of system Cisco.
References
- CAT|III
- Rule-ID|SV-3972r2_rule
- STIG-ID|NET-VLAN-005
- Vuln-ID|V-3972