STIGhubSTIGhub
STIGsSearchCompare

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

  • Browse STIGs
  • Search
  • Compare Versions

Resources

  • About
  • Release Notes
  • VPAT
  • DISA STIG Library
STIGs updated 5 hours ago
Powered by Pylon
© 2026 Beacon Cloud Solutions, Inc. All rights reserved.
← Back to Layer 2 Switch Security Requirements Guide

V-206666

CAT II (Medium)

The layer 2 switch must have all disabled switch ports assigned to an unused VLAN.

Rule ID

SV-206666r385561_rule

STIG

Layer 2 Switch Security Requirements Guide

Version

V3R4

CCIs

CCI-000366

Discussion

It is possible that a disabled port that is assigned to a user or management VLAN becomes enabled by accident or by an attacker and as a result gains access to that VLAN as a member.

Check Content

Review the switch configurations and examine all access switch ports.  Each access switch port not in use should have membership to an inactive VLAN that is not used for any purpose and is not allowed on any trunk links.

If there are any access switch ports not in use and not in an inactive VLAN, this is a finding.

Note: Switch ports configured for 802.1x are exempt from this requirement.

Fix Text

Assign all switch ports not in use to an inactive VLAN.

Note: Switch ports configured for 802.1x are exempt from this requirement.