The Juniper EX switch must be configured to assign all explicitly disabled access interfaces to an unused VLAN.

Severity	Group ID	Group Title	Version	Rule ID	Date	STIG Version
medium	V-253966	SRG-NET-000512-L2S-000007	JUEX-L2-000190	SV-253966r1082973_rule	2025-03-07	2

Description
It is possible that a configured, but disabled access interface assigned to a user or management VLAN becomes enabled by accident or by an attacker and as a result, gains access to that VLAN as a member. Unconfigured Junos interfaces are not capable of passing network traffic and do not participate in any user configured VLANs.

ℹ️ Check
If this is an access interface configured for 802.1x, this is not applicable. 1. Review the switch configurations and examine all configured access interfaces. 2. Verify each configured access interface not in use has membership in an inactive VLAN that is not used for any purpose and is not allowed on any trunk links. Unconfigured interfaces should not be configured "disabled" merely to meet this requirement because unconfigured interfaces are incapable of passing network traffic. Verify a VLAN is configured for unused interfaces. In the following example, VLAN name is "vlan-disabled", but that name should match local naming conventions. user@host> show configuration vlans vlan_disabled { vlan-id <VLAN ID>; } 3. Verify configured, but unused, interfaces are assigned to an unused VLAN either individually or via the "interface-range" command. Verify interfaces configured via "interface-range" are not also configured individually. Multiple interfaces simultaneously configured via interface-range. user@host> show configuration interfaces interface-range <name> { member <interface name>; member-range <starting interface name> to <ending interface name>; <<< Member ranges are contiguous from <start interface> to <end interface> inclusive disable; unit 0 { family ethernet-switching { vlan { members vlan_disabled; } } } } 4. Individually configured: user@host> show configuration interfaces <interface name> { disable; unit 0 { family ethernet-switching { vlan { members vlan_disabled; } } } } 5. In the following example, "vlan_disabled" is designated for all configured, but disabled interfaces, and must not be configured on any trunked interface. Verify the unused VLAN is NOT a member of any trunked interface as in the example below. user@host> show configuration interfaces <interface name> { unit <logical unit> { family { ethernet-switching { interface-mode trunk; vlan { members [ vlan_name vlan_disabled ]; } } } } } 6. Verify if there are unconfigured physical interfaces. These interfaces should not be configured merely to set them disabled because they are already incapable of passing network traffic, participating in protocols, and are not members of any user configured VLANS. user@host> show interfaces terse ge-0/0/0 up up ge-0/0/0.0 up up eth-switch ge-0/0/1 up up ge-0/0/1.0 up up eth-switch …<snip>… ge-0/0/5 up down ge-0/0/5.16386 up down ge-0/0/6 up down ge-0/0/6.16386 up down ge-0/0/7 up down ge-0/0/7.16386 up down 7. As shown in the example above, ge-0/0/5 through ge-0/0/7 are unconfigured interfaces. Verify there is no configuration stanza for these interfaces. user@host> show configuration interfaces ge-0/0/0 { unit 0 { family ethernet-switching { vlan { members <VLAN name>; } } } } ge-0/0/1 { unit 0 { family ethernet-switching { vlan { members <VLAN name>; } } } } …<snip>… xe-0/1/0 { ether-options { 802.3ad ae0; } } 8. The example above shows that ge-0/0/1 is the last configured access interface and the next configured interface is a 10GbE Link Aggregation Group (LAG) member. Because Junos lists interface names in ascending order, the example unconfigured interfaces (ge-0/0/5 through ge-0/0/7) would appear between the configured interfaces ge-0/0/1 and xe-0/1/0. Therefore, the subject interfaces, while present on the device, are not configured and are incapable of passing network traffic. If there are any configured, but disabled access interfaces not in an inactive VLAN, this is a finding.

ℹ️ Check

If this is an access interface configured for 802.1x, this is not applicable. 1. Review the switch configurations and examine all configured access interfaces. 2. Verify each configured access interface not in use has membership in an inactive VLAN that is not used for any purpose and is not allowed on any trunk links. Unconfigured interfaces should not be configured "disabled" merely to meet this requirement because unconfigured interfaces are incapable of passing network traffic. Verify a VLAN is configured for unused interfaces. In the following example, VLAN name is "vlan-disabled", but that name should match local naming conventions. user@host> show configuration vlans vlan_disabled { vlan-id <VLAN ID>; } 3. Verify configured, but unused, interfaces are assigned to an unused VLAN either individually or via the "interface-range" command. Verify interfaces configured via "interface-range" are not also configured individually. Multiple interfaces simultaneously configured via interface-range. user@host> show configuration interfaces interface-range <name> { member <interface name>; member-range <starting interface name> to <ending interface name>; <<< Member ranges are contiguous from <start interface> to <end interface> inclusive disable; unit 0 { family ethernet-switching { vlan { members vlan_disabled; } } } } 4. Individually configured: user@host> show configuration interfaces <interface name> { disable; unit 0 { family ethernet-switching { vlan { members vlan_disabled; } } } } 5. In the following example, "vlan_disabled" is designated for all configured, but disabled interfaces, and must not be configured on any trunked interface. Verify the unused VLAN is NOT a member of any trunked interface as in the example below. user@host> show configuration interfaces <interface name> { unit <logical unit> { family { ethernet-switching { interface-mode trunk; vlan { members [ vlan_name vlan_disabled ]; } } } } } 6. Verify if there are unconfigured physical interfaces. These interfaces should not be configured merely to set them disabled because they are already incapable of passing network traffic, participating in protocols, and are not members of any user configured VLANS. user@host> show interfaces terse ge-0/0/0 up up ge-0/0/0.0 up up eth-switch ge-0/0/1 up up ge-0/0/1.0 up up eth-switch …<snip>… ge-0/0/5 up down ge-0/0/5.16386 up down ge-0/0/6 up down ge-0/0/6.16386 up down ge-0/0/7 up down ge-0/0/7.16386 up down 7. As shown in the example above, ge-0/0/5 through ge-0/0/7 are unconfigured interfaces. Verify there is no configuration stanza for these interfaces. user@host> show configuration interfaces ge-0/0/0 { unit 0 { family ethernet-switching { vlan { members <VLAN name>; } } } } ge-0/0/1 { unit 0 { family ethernet-switching { vlan { members <VLAN name>; } } } } …<snip>… xe-0/1/0 { ether-options { 802.3ad ae0; } } 8. The example above shows that ge-0/0/1 is the last configured access interface and the next configured interface is a 10GbE Link Aggregation Group (LAG) member. Because Junos lists interface names in ascending order, the example unconfigured interfaces (ge-0/0/5 through ge-0/0/7) would appear between the configured interfaces ge-0/0/1 and xe-0/1/0. Therefore, the subject interfaces, while present on the device, are not configured and are incapable of passing network traffic. If there are any configured, but disabled access interfaces not in an inactive VLAN, this is a finding.

✔️ Fix
Disable all configured access interfaces not in use and assign to an inactive VLAN, or remove the interface configuration from the device. Switch ports configured for 802.1x are exempt from this requirement. 1. In this example, "vlan_disabled" is the name given to the VLAN for unused interfaces. This VLAN name can be any legal name. Configure a range of interfaces. user@host> configure user@host# set vlans vlan_disabled vlan-id <VLAN ID> user@host# set interfaces interface-range <name> member <interface name> user@host# set interfaces interface-range <name> member-range <starting interface name> to <ending interface name> user@host# set interfaces interface-range <name> disable user@host# set interfaces interface-range <name> unit 0 family ethernet-switching vlan members vlan_disabled 2. Configure individual interfaces. set interfaces <interface name> disable set interfaces <interface name> unit 0 family ethernet-switching vlan members vlan_disabled 3. Delete the unused VLAN from all trunked interfaces. user@host# delete interfaces <trunked interface> unit 0 family ethernet-switching vlan members vlan_disabled 4. Remove the access interface configuration from unused interfaces. user@host# delete interfaces <interface name>

✔️ Fix

Disable all configured access interfaces not in use and assign to an inactive VLAN, or remove the interface configuration from the device. Switch ports configured for 802.1x are exempt from this requirement. 1. In this example, "vlan_disabled" is the name given to the VLAN for unused interfaces. This VLAN name can be any legal name. Configure a range of interfaces. user@host> configure user@host# set vlans vlan_disabled vlan-id <VLAN ID> user@host# set interfaces interface-range <name> member <interface name> user@host# set interfaces interface-range <name> member-range <starting interface name> to <ending interface name> user@host# set interfaces interface-range <name> disable user@host# set interfaces interface-range <name> unit 0 family ethernet-switching vlan members vlan_disabled 2. Configure individual interfaces. set interfaces <interface name> disable set interfaces <interface name> unit 0 family ethernet-switching vlan members vlan_disabled 3. Delete the unused VLAN from all trunked interfaces. user@host# delete interfaces <trunked interface> unit 0 family ethernet-switching vlan members vlan_disabled 4. Remove the access interface configuration from unused interfaces. user@host# delete interfaces <interface name>