STIGQter: STIG Summary: Cisco NX-OS Switch L2S Security Technical Implementation Guide Version: 1 Release: 1 Benchmark Date: 08 May 2020: STIGQter: STIG Summary: Cisco NX-OS Switch L2S Security Technical Implementation Guide Version: 1 Release: 1 Benchmark Date: 08 May 2020:SV-110365r1_rule
V-101261
SRG-NET-000512-L2S-000012
CISC-L2-000260
CAT II
10
To ensure the integrity of the trunk link and prevent unauthorized access, the ID of the native VLAN of the trunk port must be changed from the default VLAN (i.e., VLAN 1) to its own unique VLAN ID.
SW1(config)#int e0/1
SW1(config-if)#switchport trunk native vlan 44
Note: The native VLAN ID must be the same on both ends of the trunk link; otherwise, traffic could accidentally leak between broadcast domains.
Review the switch configurations and examine all trunk links. Verify the native VLAN has been configured to a VLAN ID other than the ID of the default VLAN (i.e. VLAN 1) as shown in the example below:
interface Ethernet0/1
switchport
switchport mode trunk
switchport trunk native vlan 44
Note: An alternative to configuring a dedicated native VLAN is to ensure that all native VLAN traffic is tagged. This will mitigate the risk of VLAN hopping since there will always be an outer tag for native traffic as it traverses an 802.1q trunk link.
If the native VLAN has the same VLAN ID as the default VLAN, this is a finding.
V-101261
False
CISC-L2-000260
Review the switch configurations and examine all trunk links. Verify the native VLAN has been configured to a VLAN ID other than the ID of the default VLAN (i.e. VLAN 1) as shown in the example below:
interface Ethernet0/1
switchport
switchport mode trunk
switchport trunk native vlan 44
Note: An alternative to configuring a dedicated native VLAN is to ensure that all native VLAN traffic is tagged. This will mitigate the risk of VLAN hopping since there will always be an outer tag for native traffic as it traverses an 802.1q trunk link.
If the native VLAN has the same VLAN ID as the default VLAN, this is a finding.
M
3551