Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-253971 | JUEX-L2-000240 | SV-253971r843946_rule | Medium |
Description |
---|
By default, Juniper switches do not assign a native VLAN to any trunked interface. Allowing trunked interfaces to accept untagged data packets may unintentionally expose VLANs to unauthorized devices that could result in network exploration, unauthorized resource access, or a DoS condition. If a network function requires a native VLAN it must be unique. |
STIG | Date |
---|---|
Juniper EX Series Switches Layer 2 Switch Security Technical Implementation Guide | 2022-08-31 |
Check Text ( C-57423r843944_chk ) |
---|
Review the switch configuration and examine all trunked interfaces to verify no native VLAN ID is assigned. If a native VLAN has been assigned, verify the VLAN is unique. By default, there are no native VLANs assigned to any trunked interface. Verify trunked interface do not have a native VLAN ID configured. [edit interfaces] unit 0 { family ethernet-switching { interface-mode trunk; vlan { members [ vlan_name ... vlan_name ]; } } } } If trunked interfaces require a native VLAN, verify it is unique. [edit interfaces] native-vlan-id unit 0 { family ethernet-switching { interface-mode trunk; vlan { members [ vlan_name ... vlan_name ]; } } } } Note: By default, Juniper switches do not automatically assign a native VLAN. Configuring an interface with "interface-mode trunk" does not automatically assign the default VLAN. Verify any VLAN assigned as native for any trunked interface has been configured. [edit vlans] native_vlan_name { vlan-id } If trunked interfaces do not have a native VLAN ID configured, this is not a finding. If a native VLAN is configured and does not have a unique VLAN ID, this is a finding. |
Fix Text (F-57374r843945_fix) |
---|
To ensure the integrity of the trunk link, either remove the native VLAN ID or configure the native VLAN ID with a unique value. If used, the native VLAN ID must be the same on both ends of the trunk link. Example deleting a native VLAN ID: delete interfaces Example configuring a native VLAN ID: set interfaces Example configuring a VLAN used as native for any trunked interface: set vlans vlan_name vlan-id 30 |