← Back to RUCKUS ICX Layer 2 Switch Security Technical Implementation Guide

V-273691

CAT II (Medium)

The RUCKUS ICX switch must not use the default VLAN for management traffic.

Rule ID

SV-273691r1111060_rule

STIG

RUCKUS ICX Layer 2 Switch Security Technical Implementation Guide

Version

V1R1

CCIs

CCI-000366

Discussion

Switches use the default VLAN (i.e., VLAN 1) for in-band management and to communicate with directly connected switches using Spanning-Tree Protocol (STP), Dynamic Trunking Protocol (DTP), VLAN Trunking Protocol (VTP), and Port Aggregation Protocol (PAgP)—all untagged traffic. Therefore, the default VLAN may unwisely span the entire network if not appropriately pruned. If its scope is large enough, the risk of compromise can increase significantly.

Check Content

Review switch configuration to confirm the management VLAN is designated and is not VLAN 1.  

!
vlan 235 name mgmt-vlan
 tagged ethernet 1/2/1 
!

If the management VLAN is the same as the default VLAN or VLAN 1, this is a finding.

Fix Text

Configure a VLAN specifically for management use:

device(config)# vlan 235 name mgmt-vlan
device(config-vlan-235)# tag ethernet 1/2/1
device(config-vlan-235)# interface ve 235
device(config-vif-235)# ip addr x.x.x.x/x

Note: For L2 images prior to release 10.0, the management VLAN can be configured per the example below. The default-gateway statement sets a metric of 1.

device(config)# vlan 235 name mgmt-vlan
device(config-vlan-235)# tag ethernet 1/2/1
device(config-vlan-235)# management-vlan
device(config-vlan-235)# default-gateway x.x.x.x 1
device(config-vlan-235)# exit
device(config)# ip addr x.x.x.x/x