Detections
Analytics
CISC-L2-000260 - The Cisco switch must have the native VLAN assigned to an ID other than the default VLAN for all 802.1q trunk links.
Information
VLAN hopping can be initiated by an attacker who has access to a switch port belonging to the same VLAN as the native VLAN of the trunk link connecting to another switch that the victim is connected to. If the attacker knows the victim's MAC address, it can forge a frame with two 802.1q tags and a layer 2 header with the destination address of the victim. Since the frame will ingress the switch from a port belonging to its native VLAN, the trunk port connecting to the victim's switch will simply remove the outer tag because native VLAN traffic is to be untagged. The switch will forward the frame on to the trunk link unaware of the inner tag with a VLAN ID of which the victim's switch port is a member.NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.
Solution
To ensure the integrity of the trunk link and prevent unauthorized access, the ID of the native VLAN of the trunk port must be changed from the default VLAN (i.e., VLAN 1) to its own unique VLAN ID.SW1(config)#int e0/1
SW1(config-if)#switchport trunk native vlan 44
Note: The native VLAN ID must be the same on both ends of the trunk link; otherwise, traffic could accidentally leak between broadcast domains.
See Also
https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Cisco_NX-OS_Switch_Y26M01_STIG.zip
Item Details
Audit Name: DISA Cisco NX OS Switch L2S STIG v3r3
Category: SYSTEM AND COMMUNICATIONS PROTECTION
References: 800-53|SC-7, CAT|II, CCI|CCI-004891, Rule-ID|SV-220695r991952_rule, STIG-ID|CISC-L2-000260, STIG-Legacy|SV-110365, STIG-Legacy|V-101261, Vuln-ID|V-220695
Plugin: Cisco
Control ID: d468b5e8a69fd37b5b1bc14599b3bd552fdda9533cfef6d13c4f7e1b3fa31df2