STIGhubSTIGhub
STIGsRMF ControlsCompare

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

  • Browse STIGs
  • Search
  • RMF Controls
  • Compare Versions

Resources

  • About
  • Release Notes
  • VPAT
  • DISA STIG Library
STIGs updated 1 hour ago
Powered by Pylon
© 2026 Beacon Cloud Solutions, Inc. All rights reserved.
← Back to RUCKUS ICX Layer 2 Switch Security Technical Implementation Guide

V-273688

CAT II (Medium)

The RUCKUS ICX switch must have all disabled switch ports assigned to an unused VLAN.

Rule ID

SV-273688r1111017_rule

STIG

RUCKUS ICX Layer 2 Switch Security Technical Implementation Guide

Version

V1R1

CCIs

CCI-000366

Discussion

It is possible that a disabled port assigned to a user or management VLAN becomes enabled by accident or by an attacker and as a result gains access to that VLAN as a member.

Check Content

Review the switch configurations and examine all access switch ports. Each access switch port not in use must have membership to an inactive VLAN that is not used for any purpose and is not allowed on any trunk links.

1. Show the VLAN.
Router#show vlan 888
PORT-VLAN 888, Name [None], Priority level0, Off
 Untagged Ports: (U1/M1)   5   6   7   8   9  10  11  12  13  14  15  16 
 Untagged Ports: (U1/M1)  17  18  19  20 
   Tagged Ports: None
 Mac-Vlan Ports: None
     Monitoring: Disabled
SSH@ICX7550-48ZP-Router#

2. Confirm unused interfaces are disabled.
Router#show interface br ethernet 1/1/5 to 1/1/20

Port       Link    State   Dupl Speed Trunk Tag Pvid Pri MAC             Name
1/1/5      Disable None    None None  None  No  888  0   28b3.7129.8e5e                 
1/1/6      Disable None    None None  None  No  888  0   28b3.7129.8e5f                 
1/1/7      Disable None    None None  None  No  888  0   28b3.7129.8e60                 
1/1/8      Disable None    None None  None  No  888  0   28b3.7129.8e61                 
...

If unused ports are not disabled and assigned to an unused VLAN, this is a finding.

Fix Text

Assign all switch ports not in use to an inactive VLAN.

Create unused  VLAN:

1. Configure the VLAN.
ICX(config)#vlan 888 name Unused_ports

2. Add unused ports to VLAN.
ICX(config-vlan-888)#untag ethernet 1/1/5 to 1/1/20
Added untagged port(s) ethernet 1/1/5 to 1/1/20 to port-vlan 888.

3. Shut down all unused ports.
ICX(config)#interface ethernet 1/1/5 to 1/1/20 
ICX(config)#interface ethernet 1/1/5 to 1/1/20 

4. Disable unused ports.
ICX(config-mif-1/1/5-1/1/20)#disable
ICX(config-mif-1/1/5-1/1/20)#

Alternative approach:

1. Configure default VLAN ID and view assigned ports.
ICX(config)# default-vlan-id 4095
ICX(config)# show vlan 4095

Total PORT-VLAN entries: 20
Maximum PORT-VLAN entries: 1024

Legend: [Stk=Stack-Id, S=Slot]

PORT-VLAN 4095, Name DEFAULT-VLAN, Priority level0, On
 Untagged Ports: (U1/M1)   5   6   7   8   9  10  11  12  13  14  15  16 
 Untagged Ports: (U1/M1)  17  18  19  20 
 Tagged Ports: None
 Mac-Vlan Ports: None
     Monitoring: Disabled

2. Disable displayed ports.
ICX(config)# interface ethernet 1/1/5 to 1/1/20
ICX(config-mif-1/1/5-1/1/20)# disable