STIGQter: STIG Summary: Cisco NX-OS Switch L2S Security Technical Implementation Guide Version: 1 Release: 1 Benchmark Date: 08 May 2020:

The Cisco switch must have the default VLAN pruned from all trunk ports that do not require it.

DISA Rule

SV-110359r1_rule

Vulnerability Number

V-101255

Group Title

SRG-NET-000512-L2S-000009

Rule Version

CISC-L2-000230

Severity

CAT II

CCI(s)

• CCI-000366 - The organization implements the security configuration settings.

Weight

10

Fix Recommendation

Step 1: Prune VLAN 1 from any trunk links as necessary.

SW1(config)# int e1/2
SW1(config-if)# switchport trunk allowed vlan except 1, 999
SW1(config-if)# end

Step 2: Verify VLAN 1 is not allowed on the trunk link.

SW1# show interface trunk

--------------------------------------------------------------------------------
Port Native Status Port
Vlan Channel
--------------------------------------------------------------------------------
Eth1/1 1 trunking --
Eth1/2 1 trunking --

--------------------------------------------------------------------------------
Port Vlans Allowed on Trunk
--------------------------------------------------------------------------------
Eth1/1 1-998,1000-4094
Eth1/2 2-998,1000-4094

Check Contents

Review the switch configuration and verify that the default VLAN is pruned from trunk links that do not require it.

SW1# show interface trunk

--------------------------------------------------------------------------------
Port Native Status Port
Vlan Channel
--------------------------------------------------------------------------------
Eth1/1 1 trunking --
Eth1/2 1 trunking --

--------------------------------------------------------------------------------
Port Vlans Allowed on Trunk
--------------------------------------------------------------------------------
Eth1/1 1-998,1000-4094
Eth1/2 1-998,1000-4094

If the default VLAN is not pruned from trunk links that should not be transporting frames for the VLAN, this is a finding.

Vulnerability Number

V-101255

Documentable

False

Rule Version

CISC-L2-000230

Severity Override Guidance

Review the switch configuration and verify that the default VLAN is pruned from trunk links that do not require it.

SW1# show interface trunk

--------------------------------------------------------------------------------
Port Native Status Port
Vlan Channel
--------------------------------------------------------------------------------
Eth1/1 1 trunking --
Eth1/2 1 trunking --

--------------------------------------------------------------------------------
Port Vlans Allowed on Trunk
--------------------------------------------------------------------------------
Eth1/1 1-998,1000-4094
Eth1/2 1-998,1000-4094

If the default VLAN is not pruned from trunk links that should not be transporting frames for the VLAN, this is a finding.

Check Content Reference

M

Target Key

3551

Comments