STIGQter: STIG Summary: Cisco IOS XE Switch L2S Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 23 Apr 2021:

The Cisco switch must not have the default VLAN assigned to any host-facing switch ports.

DISA Rule

SV-220668r539671_rule

Vulnerability Number

V-220668

Group Title

SRG-NET-000512-L2S-000008

Rule Version

CISC-L2-000220

Severity

CAT II

CCI(s)

• CCI-000366 - The organization implements the security configuration settings.

Weight

10

Fix Recommendation

Remove the assignment of the default VLAN from all access switch ports.

Check Contents

Review the switch configurations and verify that no access switch ports have been assigned membership to the default VLAN (i.e., VLAN 1). VLAN assignments can be verified via the show vlan command.

SW1#show vlan

VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active
10 User VLAN active Gi0/3, Gi1/0, Gi1/1, Gi1/2
Gi1/3, Gi2/1
20 Management VLAN active Gi0/2
999 VLAN0999 active Gi2/0

If there are access switch ports assigned to the default VLAN, this is a finding.

Vulnerability Number

V-220668

Documentable

False

Rule Version

CISC-L2-000220

Severity Override Guidance

Review the switch configurations and verify that no access switch ports have been assigned membership to the default VLAN (i.e., VLAN 1). VLAN assignments can be verified via the show vlan command.

SW1#show vlan

VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active
10 User VLAN active Gi0/3, Gi1/0, Gi1/1, Gi1/2
Gi1/3, Gi2/1
20 Management VLAN active Gi0/2
999 VLAN0999 active Gi2/0

If there are access switch ports assigned to the default VLAN, this is a finding.

Check Content Reference

M

Target Key

4071

Comments