STIGQter: STIG Summary: Cisco IOS Switch L2S Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 23 Apr 2021:

The Cisco switch must have the default VLAN pruned from all trunk ports that do not require it.

DISA Rule

SV-220643r539671_rule

Vulnerability Number

V-220643

Group Title

SRG-NET-000512-L2S-000009

Rule Version

CISC-L2-000230

Severity

CAT II

CCI(s)

• CCI-000366 - The organization implements the security configuration settings.

Weight

10

Fix Recommendation

Prune VLAN 1 from any trunk links as necessary:

SW1(config)#int g0/2
SW1(config-if)#switchport trunk allowed vlan except 1

Verify that VLAN 1 is not allowed on the trunk link:

SW1#show interfaces trunk

Port Mode Encapsulation Status Native vlan
Gi0/1 on 802.1q trunking 1
Gi0/2 on 802.1q trunking 1

Port Vlans allowed on trunk
Gi0/1 1-998,1000-4094
Gi0/2 2-4094

Check Contents

Review the switch configuration and verify that the default VLAN is pruned from trunk links that do not require it:

SW1#show interfaces trunk

Port Mode Encapsulation Status Native vlan
Gi0/1 on 802.1q trunking 1
Gi0/2 on 802.1q trunking 1

Port Vlans allowed on trunk
Gi0/1 1-998,1000-4094
Gi0/2 1-4094

If the default VLAN is not pruned from trunk links that should not be transporting frames for the VLAN, this is a finding.

Vulnerability Number

V-220643

Documentable

False

Rule Version

CISC-L2-000230

Severity Override Guidance

Review the switch configuration and verify that the default VLAN is pruned from trunk links that do not require it:

SW1#show interfaces trunk

Port Mode Encapsulation Status Native vlan
Gi0/1 on 802.1q trunking 1
Gi0/2 on 802.1q trunking 1

Port Vlans allowed on trunk
Gi0/1 1-998,1000-4094
Gi0/2 1-4094

If the default VLAN is not pruned from trunk links that should not be transporting frames for the VLAN, this is a finding.

Check Content Reference

M

Target Key

4070

Comments