Rule ID
SV-255981r991775_rule
Version
V2R3
CCIs
In a VLAN-based network, switches use the default VLAN (i.e., VLAN 1) for in-band management and to communicate with other networking devices using Spanning-Tree Protocol (STP), Dynamic Trunking Protocol (DTP), VLAN Trunking Protocol (VTP), and Port Aggregation Protocol (PAgP)—all untagged traffic. As a consequence, the default VLAN may unwisely span the entire network if not appropriately pruned. If its scope is large enough, the risk of compromise can increase significantly.
Review the Arista MLS switch configurations and verify no access switch ports have been assigned membership to the default VLAN (i.e., VLAN 1). switch(config)#sh vlan VLAN Name Status Ports ----- -------------------------------- --------- ------------------------------- 1 default 8 VLAN0008 active Cpu 25 VLAN0025 active Cpu 100 VLAN0100 active Cpu 1000 VLAN1000 active Eth1, Eth2 If access switch ports are assigned to the default VLAN, this is a finding.
Configure the Arista MLS switch to remove the assignment of the default VLAN from all access switch ports. Step 1: Configure the Default VLAN 1 to shut down by using the following command: switch:(config#)interface vlan 1 switch(config-int-vlan1)#shutdown Step 2: Configure all access switch ports to be placed in a VLAN other than the default (1): switch(config)#interface ethernet 8 switch(config-eth8)#switchport access vlan 1000 switch(config-eth8)#exit