The Dell OS10 Switch must have all disabled switch ports assigned to an unused VLAN.
Severity | Group ID | Group Title | Version | Rule ID | Date | STIG Version |
|---|---|---|---|---|---|---|
| medium | V-269966 | SRG-NET-000512-L2S-000007 | OS10-L2S-000210 | SV-269966r1052284_rule | 2024-12-11 | 1 |
| Description |
|---|
| It is possible that a disabled port that is assigned to a user or management VLAN becomes enabled by accident or by an attacker and as a result gains access to that VLAN as a member. |
| ℹ️ Check |
|---|
| Review the switch configurations and examine all access switch ports. Each access switch port not in use should have membership to an inactive VLAN that is not used for any purpose and is not allowed on any trunk links. Verify that there is a shutdown VLAN configured for unused ports: ! interface vlan999 description "Unused VLAN" shutdown Verify that the unused switch ports are assigned to the inactive VLAN: ! interface ethernet1/1/57 shutdown switchport access vlan 999 flowcontrol receive off ! interface ethernet1/1/58 shutdown switchport access vlan 999 flowcontrol receive off Verify that no trunk links are configured to accept the unused VLAN ID: ! interface ethernet1/1/1 no shutdown switchport mode trunk switchport access vlan 100 flowcontrol receive off If there are any access switch ports not in use and not in an inactive VLAN, this is a finding. |
| ✔️ Fix |
|---|
| Assign all switch ports not in use to an inactive VLAN. Assign a VLAN interface to be unused: OS10(config)# interface vlan 999 OS10(conf-if-vl-999)# description "Unused VLAN" OS10(conf-if-vl-999)# shutdown OS10(conf-if-vl-999)# exit Assign unused switch ports to the unused VLAN: OS10(config)# interface range eth1/1/50-1/1/58 OS10(conf-range-eth1/1/50-1/1/58)# switchport access vlan 999 |