NET-VLAN-002 - Disabled ports are not kept in an unused VLAN.

Information

The IAO/NSO will ensure disabled ports are placed in an unused VLAN (do not use VLAN1).

It is possible that a disabled port that is assigned to a user or management VLAN becomes enabled by accident or by an attacker and as a result gains access to that VLAN as a member.

NOTE: This check is derived from the L3 switch guidance, if the scan target is a router the check can be ignored.
NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

Assign all disabled ports to an unused VLAN. Do not use VLAN1.

See Also

https://iasecontent.disa.mil/stigs/zip/U_Network_Perimeter_Router_L3_Switch_V8R32_STIG.zip

Item Details

References: CAT|III, Rule-ID|SV-3973r2_rule, STIG-ID|NET-VLAN-002, Vuln-ID|V-3973

Plugin: Cisco

Control ID: dbbf6a3378350b08764171c5a2d3c6faaeafa5939b27781acaecbc8fcb64df7e