STIGQter: STIG Summary: Layer 2 Switch Security Requirements Guide Version: 1 Release: 6 Benchmark Date: 24 Jan 2020:

The layer 2 switch must not have the default VLAN assigned to any host-facing switch ports.

DISA Rule

SV-76693r1_rule

Vulnerability Number

V-62203

Group Title

SRG-NET-000512

Rule Version

SRG-NET-000512-L2S-000008

Severity

CAT II

CCI(s)

• CCI-000366 - The organization implements the security configuration settings.

Weight

10

Fix Recommendation

Remove the assignment of the default VLAN from all access switch ports.

Check Contents

Review the switch configurations and verify that no access switch ports have been assigned membership to the default VLAN (i.e., VLAN 1). A good method of ensuring there is not membership to the default VLAN is to have it disabled (i.e., shutdown) on the switch. This technique does not prevent switch control plane protocols such as CDP, DTP, VTP, and PAgP from using the default VLAN.

If there are access switch ports assigned to the default VLAN, this is a finding.

Vulnerability Number

V-62203

Documentable

False

Rule Version

SRG-NET-000512-L2S-000008

Severity Override Guidance

Review the switch configurations and verify that no access switch ports have been assigned membership to the default VLAN (i.e., VLAN 1). A good method of ensuring there is not membership to the default VLAN is to have it disabled (i.e., shutdown) on the switch. This technique does not prevent switch control plane protocols such as CDP, DTP, VTP, and PAgP from using the default VLAN.

If there are access switch ports assigned to the default VLAN, this is a finding.

Check Content Reference

M

Target Key

2917

Comments