The layer 2 switch must not use the default VLAN for management traffic.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-206669 | SRG-NET-000512-L2S-000010 | SV-206669r385561_rule | CCI-000366 | medium |
| Description | ||||
| Switches use the default VLAN (i.e., VLAN 1) for in-band management and to communicate with directly connected switches using Spanning-Tree Protocol (STP), Dynamic Trunking Protocol (DTP), VLAN Trunking Protocol (VTP), and Port Aggregation Protocol (PAgP)—all untagged traffic. As a consequence, the default VLAN may unwisely span the entire network if not appropriately pruned. If its scope is large enough, the risk of compromise can increase significantly. | ||||
| STIG | Date | |||
| Layer 2 Switch Security Requirements Guide | 2025-03-05 | |||
Related Frameworks
4 paths across 3 frameworks
Related Frameworks
NIST 800-531 mapping
CM-6
1.00
- DISA · 3 · disa_xccdf · related
- DISA · 2025-01-23 · disa_cci_list · equivalent
NIST 800-1712 mappings
3.4.1
1.00
- DISA · 3 · disa_xccdf · related
- DISA · 2025-01-23 · disa_cci_list · equivalent
- NIST · Rev 2 (Feb 2020, errata Jan 2021) · nist_800_171_app_d · equivalent
3.4.2
1.00
- DISA · 3 · disa_xccdf · related
- DISA · 2025-01-23 · disa_cci_list · equivalent
- NIST · Rev 2 (Feb 2020, errata Jan 2021) · nist_800_171_app_d · equivalent
CCI1 mapping
CCI-000366
1.00
- DISA · 3 · disa_xccdf · related
Details
Check Text (C-206669r385561_chk)
Review the switch configuration and verify that the default VLAN is not used to access the switch for management.
If the default VLAN is being used to access the switch, this is a finding.
Fix Text (F-6927r298438_fix)
Configure the switch for management access to use a VLAN other than the default VLAN.