STIGQter: STIG Summary: Cisco IOS XE Switch L2S Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 23 Apr 2021:

The Cisco switch must not have any switchports assigned to the native VLAN.

DISA Rule

SV-220673r539671_rule

Vulnerability Number

V-220673

Group Title

SRG-NET-000512-L2S-000013

Rule Version

CISC-L2-000270

Severity

CAT III

CCI(s)

• CCI-000366 - The organization implements the security configuration settings.

Weight

10

Fix Recommendation

Configure all access switch ports to a VLAN other than the native VLAN.

Check Contents

Review the switch configurations and examine all access switch ports. Verify that they do not belong to the native VLAN as shown in the example below:

interface GigabitEthernet0/1
switchport trunk encapsulation dot1q
switchport trunk native vlan 44
switchport mode trunk
negotiation auto
!
interface GigabitEthernet0/2
switchport access vlan 11
negotiation auto
!
interface GigabitEthernet0/3
switchport access vlan 12
negotiation auto
!

If any access switch ports have been assigned to the same VLAN ID as the native VLAN, this is a finding.

Vulnerability Number

V-220673

Documentable

False

Rule Version

CISC-L2-000270

Severity Override Guidance

Review the switch configurations and examine all access switch ports. Verify that they do not belong to the native VLAN as shown in the example below:

interface GigabitEthernet0/1
switchport trunk encapsulation dot1q
switchport trunk native vlan 44
switchport mode trunk
negotiation auto
!
interface GigabitEthernet0/2
switchport access vlan 11
negotiation auto
!
interface GigabitEthernet0/3
switchport access vlan 12
negotiation auto
!

If any access switch ports have been assigned to the same VLAN ID as the native VLAN, this is a finding.

Check Content Reference

M

Target Key

4071

Comments