← Back to RUCKUS ICX Layer 2 Switch Security Technical Implementation Guide

V-273674

CAT II (Medium)

The RUCKUS ICX switch must disable the Multiple VLAN Registration Protocol (MVRP).

Rule ID

SV-273674r1110977_rule

STIG

RUCKUS ICX Layer 2 Switch Security Technical Implementation Guide

Version

V1R1

CCIs

CCI-000803

Discussion

MVRP provides central management of VLAN domains, thus reducing administration in a switched network. When configuring a new VLAN in MVRP, the VLAN is distributed through all switches in the domain. This reduces the need to configure the same VLAN everywhere. MVRP pruning preserves bandwidth by preventing VLAN traffic (unknown MAC, broadcast, multicast) from being sent down trunk links when not needed, that is, there are no access switch ports in neighboring switches belonging to such VLANs. An attack could allow unauthorized access to previously blocked VLANs or allow the addition of unauthorized switches into the domain. There is no authentication method available for MVRP to reduce this risk.

Check Content

Review the switch configuration to verify if MVRP is enabled.

Router(config)#show mvrp 
No mvrp configuration found
Router(config)                                                                                                 

If MVRP protocol response from show mvrp command indicates Enabled, this is a finding.

Fix Text

Configure the switch to disable Multiple VLAN Registration Protocol (MVRP).

1. Enter configuration mode:
device1# configure terminal

2. Disable MVRP:
Router(config)#no mvrp enable