STIGQter STIGQter: STIG Summary: Cisco IOS XE Switch L2S Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 23 Apr 2021:

The Cisco switch must have the native VLAN assigned to an ID other than the default VLAN for all 802.1q trunk links.

DISA Rule

SV-220672r539671_rule

Vulnerability Number

V-220672

Group Title

SRG-NET-000512-L2S-000012

Rule Version

CISC-L2-000260

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

To ensure the integrity of the trunk link and prevent unauthorized access, the ID of the native VLAN of the trunk port must be changed from the default VLAN (i.e., VLAN 1) to its own unique VLAN ID.

SW1(config)#int g0/1
SW1(config-if)#switchport trunk native vlan 44

Note: The native VLAN ID must be the same on both ends of the trunk link; otherwise, traffic could accidentally leak between broadcast domains.

Check Contents

Review the switch configurations and examine all trunk links. Verify the native VLAN has been configured to a VLAN ID other than the ID of the default VLAN (i.e. VLAN 1) as shown in the example below:

interface GigabitEthernet0/1
switchport trunk encapsulation dot1q
switchport trunk native vlan 44
switchport mode trunk
negotiation auto

Note: An alternative to configuring a dedicated native VLAN is to ensure that all native VLAN traffic is tagged. This will mitigate the risk of VLAN hopping since there will always be an outer tag for native traffic as it traverses an 802.1q trunk link.

If the native VLAN has the same VLAN ID as the default VLAN, this is a finding.

Vulnerability Number

V-220672

Documentable

False

Rule Version

CISC-L2-000260

Severity Override Guidance

Review the switch configurations and examine all trunk links. Verify the native VLAN has been configured to a VLAN ID other than the ID of the default VLAN (i.e. VLAN 1) as shown in the example below:

interface GigabitEthernet0/1
switchport trunk encapsulation dot1q
switchport trunk native vlan 44
switchport mode trunk
negotiation auto

Note: An alternative to configuring a dedicated native VLAN is to ensure that all native VLAN traffic is tagged. This will mitigate the risk of VLAN hopping since there will always be an outer tag for native traffic as it traverses an 802.1q trunk link.

If the native VLAN has the same VLAN ID as the default VLAN, this is a finding.

Check Content Reference

M

Target Key

4071

Comments