Skip to content
ATO Pathways
Log In
Overview
Search
Catalogs
SCAP
OSCAL
Catalogs
Profiles
Documents
References
Knowledge Base
Platform Documentation
Compliance Dictionary
Platform Changelog
About
Catalogs
XCCDF
Cisco IOS Switch L2S Security Technical Implementation Guide
SRG-NET-000512-L2S-000012
The Cisco switch must have the native VLAN assigned to an ID other than the default VLAN for all 802.1q trunk links.
The Cisco switch must have the native VLAN assigned to an ID other than the default VLAN for all 802.1q trunk links.
An XCCDF Rule
Details
Profiles
Prose
The Cisco switch must have the native VLAN assigned to an ID other than the default VLAN for all 802.1q trunk links.
Medium Severity
<VulnDiscussion>VLAN hopping can be initiated by an attacker who has access to a switch port belonging to the same VLAN as the native VLAN of the trunk link connecting to another switch that the victim is connected to. If the attacker knows the victim’s MAC address, it can forge a frame with two 802.1q tags and a Layer 2 header with the destination address of the victim. Because the frame will ingress the switch from a port belonging to its native VLAN, the trunk port connecting to the victim’s switch will remove the outer tag because native VLAN traffic is to be untagged. The switch will forward the frame on to the trunk link, unaware of the inner tag with a VLAN ID of which the victim’s switch port is a member.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>