NET-VLAN-008 - A dedicated VLAN is required for all trunk ports.

Information

The IAS/NSO will ensure that the native VLAN is assigned to a VLAN ID other than the default VLAN for all 802.1q trunk links.

VLAN hopping can be initiated by an attacker who has access to a switch port belonging to the same VLAN as the native VLAN of the trunk link connecting to another switch in which the victim is connected to. If the attacker knows the victim's MAC address, it can forge a frame with two 802.1q tags and a layer 2 header with the destination address of the victim. Since the frame will ingress the switch from a port belonging to its native VLAN, the trunk port connecting to victim's switch will simply remove the outer tag because native VLAN traffic is to be untagged. The switch will forward the frame unto the trunk link unaware of the inner tag with a VLAN ID for which the victim's switchport is a member of.

NOTE: This check is derived from the L3 switch guidance, if the scan target is a router the check can be ignored.
NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

To ensure the integrity of the trunk link and prevent unauthorized access, the native VLAN of the trunk port should be changed from the default VLAN1 to its own unique VLAN. The native VLAN must be the same on both ends of the trunk link; otherwise traffic could accidently leak between broadcast domains.

See Also

https://iasecontent.disa.mil/stigs/zip/U_Network_Perimeter_Router_L3_Switch_V8R31_STIG.zip

Item Details

References: CAT|II, Rule-ID|SV-5622r2_rule, STIG-ID|NET-VLAN-008, Vuln-ID|V-5622

Plugin: Cisco

Control ID: 124b49ee1bb736b1528c10987e2193b19102a3b6f0c56e5bae2bca26cd32dc49