The Arista MLS layer 2 switch must not use the default VLAN for management traffic.
Severity | Group ID | Group Title | Version | Rule ID | Date | STIG Version |
|---|---|---|---|---|---|---|
| medium | V-255983 | SRG-NET-000512-L2S-000010 | ARST-L2-000200 | SV-255983r991777_rule | 2025-05-19 | 2 |
Description
Switches use the default VLAN (i.e., VLAN 1) for in-band management and to communicate with directly connected switches using Spanning-Tree Protocol (STP), Dynamic Trunking Protocol (DTP), VLAN Trunking Protocol (VTP), and Port Aggregation Protocol (PAgP)—all untagged traffic. As a consequence, the default VLAN may unwisely span the entire network if not appropriately pruned. If its scope is large enough, the risk of compromise can increase significantly.
ℹ️ Check
Verify the Arista MLS configuration for a Management_Network VRF instance globally on the switch with the following example:
switch(config)#sh run | sec vrf
ip name-server vrf default 192.168.10.20
!
vrf instance Management_Network
!
interface Ethernet12
description MANAGEMENT NETWORK PORT
no switchport
vrf Management_Network
ip address 10.10.40.254/30
!
ip routing vrf Management_Network
If the VRF is not configured to prevent the default VLAN from being used to access the switch, this is a finding.
✔️ Fix
Step 1: Configure the Arista MLS switch for a VRF instance for Management Network access by using the following commands:
switch(config)#vrf instance Management_Network
switch(config-vrf-Management_Network)#exit
Step 2: Configure the Ethernet port for VRF Management_Network and IP address for the management network traffic:
switch(config-if-Et12)#vrf Management_Network
switch(config-if-Et12)#ip address 10.10.40.254/30
switch(config-if-Et12)#exit