The Juniper EX switch must not have a native VLAN ID assigned, or have a unique native VLAN ID, for all 802.1q trunk links.

An XCCDF Rule

Description

<VulnDiscussion>By default, Juniper switches do not assign a native VLAN to any trunked interface. Allowing trunked interfaces to accept untagged data packets may unintentionally expose VLANs to unauthorized devices that could result in network exploration, unauthorized resource access, or a DoS condition. If a network function requires a native VLAN it must be unique.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

ID: SV-253971r843946_rule
Severity: Medium
References: CCI-000366
Updated: 8 months ago

To ensure the integrity of the trunk link, either remove the native VLAN ID or configure the native VLAN ID with a unique value. If used, the native VLAN ID must be the same on both ends of the trunk link. 

Example deleting a native VLAN ID:
delete interfaces <interface name> native-vlan-id

Example configuring a native VLAN ID:set interfaces <interface name> native-vlan-id <VLAN ID not 1>

Example configuring a VLAN used as native for any trunked interface:
set vlans vlan_name vlan-id 30

The Juniper EX switch must not have a native VLAN ID assigned, or have a unique native VLAN ID, for all 802.1q trunk links.

Description

Remediation - Manual Procedure