Skip to content
ATO Pathways
Log In
Overview
Search
Catalogs
SCAP
OSCAL
Catalogs
Profiles
Documents
References
Knowledge Base
Platform Documentation
Compliance Dictionary
Platform Changelog
About
Catalogs
XCCDF
Juniper EX Series Switches Layer 2 Switch Security Technical Implementation Guide
SRG-NET-000168-L2S-000019
The Juniper layer 2 switch must be configured to disable all dynamic VLAN registration protocols.
The Juniper layer 2 switch must be configured to disable all dynamic VLAN registration protocols.
An XCCDF Rule
Details
Profiles
Prose
The Juniper layer 2 switch must be configured to disable all dynamic VLAN registration protocols.
Medium Severity
<VulnDiscussion>Dynamic VLAN registration protocols provide centralized management of VLAN domains, which can reduce administration in a switched network. Interfaces are assigned to VLANs and the VLAN is dynamically registered on the trunked interface. Removing the last active interface from the VLAN automatically prunes the VLAN from the trunked interface, preserving bandwidth. Member switches remain synchronized via the exchange of Protocol Data Units (PDU). Protocols like Cisco VLAN Trunk Protocol (VTP) and IEEE 802.1ak Multiple VLAN Registration Protocol (MVRP) permit dynamically registering/de-registering VLANs on trunked interfaces. Without authentication, forged PDUs can allow access to previously inaccessible VLANs, or inclusion of unauthorized VLANs or switches. Only VTP currently supports authentication.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>