The Arista MLS layer 2 switch must not have the default VLAN assigned to any host-facing switch ports.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-255981 | ARST-L2-000180 | SV-255981r991775_rule | CCI-004891 | medium |
| Description | ||||
| In a VLAN-based network, switches use the default VLAN (i.e., VLAN 1) for in-band management and to communicate with other networking devices using Spanning-Tree Protocol (STP), Dynamic Trunking Protocol (DTP), VLAN Trunking Protocol (VTP), and Port Aggregation Protocol (PAgP)—all untagged traffic. As a consequence, the default VLAN may unwisely span the entire network if not appropriately pruned. If its scope is large enough, the risk of compromise can increase significantly. | ||||
| STIG | Date | |||
| Arista MLS EOS 4.X L2S Security Technical Implementation Guide | 2025-05-19 | |||
Details
Check Text (C-255981r991775_chk)
Review the Arista MLS switch configurations and verify no access switch ports have been assigned membership to the default VLAN (i.e., VLAN 1).
switch(config)#sh vlan
VLAN Name Status Ports
----- -------------------------------- --------- -------------------------------
1 default
8 VLAN0008 active Cpu
25 VLAN0025 active Cpu
100 VLAN0100 active Cpu
1000 VLAN1000 active Eth1, Eth2
If access switch ports are assigned to the default VLAN, this is a finding.
Fix Text (F-59600r882284_fix)
Configure the Arista MLS switch to remove the assignment of the default VLAN from all access switch ports.
Step 1: Configure the Default VLAN 1 to shut down by using the following command:
switch:(config#)interface vlan 1
switch(config-int-vlan1)#shutdown
Step 2: Configure all access switch ports to be placed in a VLAN other than the default (1):
switch(config)#interface ethernet 8
switch(config-eth8)#switchport access vlan 1000
switch(config-eth8)#exit