The Arista MLS layer 2 switch must have the native VLAN assigned to an ID other than the default VLAN for all 802.1q trunk links.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-255985	ARST-L2-000220	SV-255985r882297_rule		Medium

Description
VLAN hopping can be initiated by an attacker who has access to a switch port belonging to the same VLAN as the native VLAN of the trunk link connecting to another switch that the victim is connected to. If the attacker knows the victim’s MAC address, it can forge a frame with two 802.1q tags and a layer 2 header with the destination address of the victim. Since the frame will ingress the switch from a port belonging to its native VLAN, the trunk port connecting to the victim’s switch will simply remove the outer tag because native VLAN traffic is to be untagged. The switch will forward the frame on to the trunk link unaware of the inner tag with a VLAN ID of which the victim’s switch port is a member.

Description

VLAN hopping can be initiated by an attacker who has access to a switch port belonging to the same VLAN as the native VLAN of the trunk link connecting to another switch that the victim is connected to. If the attacker knows the victim’s MAC address, it can forge a frame with two 802.1q tags and a layer 2 header with the destination address of the victim. Since the frame will ingress the switch from a port belonging to its native VLAN, the trunk port connecting to the victim’s switch will simply remove the outer tag because native VLAN traffic is to be untagged. The switch will forward the frame on to the trunk link unaware of the inner tag with a VLAN ID of which the victim’s switch port is a member.

STIG	Date
Arista MLS EOS 4.2x L2S Security Technical Implementation Guide	2023-01-11

Details

Check Text ( C-59661r882295_chk )
Review the Arista MLS switch configuration for all trunk ports to have a unique native VLAN ID that is not the default VLAN 1 by using the following example: switch(config)#sh run \| sec native vlan interface Ethernet4 description STIG Disable_VLAN 1 and native vlan to 1000 switchport trunk native vlan 1000 switchport trunk allowed vlan 2-4094 If the native VLAN has the same VLAN ID as the default VLAN, this is a finding.

Check Text ( C-59661r882295_chk )

Review the Arista MLS switch configuration for all trunk ports to have a unique native VLAN ID that is not the default VLAN 1 by using the following example:

switch(config)#sh run | sec native vlan
interface Ethernet4
description STIG Disable_VLAN 1 and native vlan to 1000
switchport trunk native vlan 1000
switchport trunk allowed vlan 2-4094

If the native VLAN has the same VLAN ID as the default VLAN, this is a finding.

Fix Text (F-59604r882296_fix)
Configure the interface trunk ports for the unique Native VLAN ID and configure the VLAN allowed by using the following commands: switch(config)#interface Ethernet10 switch(config-eth10)#description #STIG VLAN 1 Pruning switch(config-eth10)# switchport trunk native vlan 1000 switch(config-eth10)#switchport trunk allowed vlan 2-4094