STIGQter STIGQter: STIG Summary: Cisco NX-OS Switch L2S Security Technical Implementation Guide Version: 1 Release: 1 Benchmark Date: 08 May 2020:

The Cisco switch must have the native VLAN assigned to an ID other than the default VLAN for all 802.1q trunk links.

DISA Rule

SV-110365r1_rule

Vulnerability Number

V-101261

Group Title

SRG-NET-000512-L2S-000012

Rule Version

CISC-L2-000260

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

To ensure the integrity of the trunk link and prevent unauthorized access, the ID of the native VLAN of the trunk port must be changed from the default VLAN (i.e., VLAN 1) to its own unique VLAN ID.

SW1(config)#int e0/1
SW1(config-if)#switchport trunk native vlan 44

Note: The native VLAN ID must be the same on both ends of the trunk link; otherwise, traffic could accidentally leak between broadcast domains.

Check Contents

Review the switch configurations and examine all trunk links. Verify the native VLAN has been configured to a VLAN ID other than the ID of the default VLAN (i.e. VLAN 1) as shown in the example below:

interface Ethernet0/1
switchport
switchport mode trunk
switchport trunk native vlan 44

Note: An alternative to configuring a dedicated native VLAN is to ensure that all native VLAN traffic is tagged. This will mitigate the risk of VLAN hopping since there will always be an outer tag for native traffic as it traverses an 802.1q trunk link.

If the native VLAN has the same VLAN ID as the default VLAN, this is a finding.

Vulnerability Number

V-101261

Documentable

False

Rule Version

CISC-L2-000260

Severity Override Guidance

Review the switch configurations and examine all trunk links. Verify the native VLAN has been configured to a VLAN ID other than the ID of the default VLAN (i.e. VLAN 1) as shown in the example below:

interface Ethernet0/1
switchport
switchport mode trunk
switchport trunk native vlan 44

Note: An alternative to configuring a dedicated native VLAN is to ensure that all native VLAN traffic is tagged. This will mitigate the risk of VLAN hopping since there will always be an outer tag for native traffic as it traverses an 802.1q trunk link.

If the native VLAN has the same VLAN ID as the default VLAN, this is a finding.

Check Content Reference

M

Target Key

3551

Comments