The RUCKUS ICX switch must have all disabled switch ports assigned to an unused VLAN.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-273688 | RCKS-L2S-000210 | SV-273688r1111017_rule | Medium |
| Description |
| It is possible that a disabled port assigned to a user or management VLAN becomes enabled by accident or by an attacker and as a result gains access to that VLAN as a member. |
| STIG | Date |
| RUCKUS ICX Layer 2 Switch Security Technical Implementation Guide | 2025-06-03 |
Details
| Check Text (C-77779r1111017_chk) |
| Review the switch configurations and examine all access switch ports. Each access switch port not in use must have membership to an inactive VLAN that is not used for any purpose and is not allowed on any trunk links. 1. Show the VLAN. Router#show vlan 888 PORT-VLAN 888, Name [None], Priority level0, Off Untagged Ports: (U1/M1) 5 6 7 8 9 10 11 12 13 14 15 16 Untagged Ports: (U1/M1) 17 18 19 20 Tagged Ports: None Mac-Vlan Ports: None Monitoring: Disabled SSH@ICX7550-48ZP-Router# 2. Confirm unused interfaces are disabled. Router#show interface br ethernet 1/1/5 to 1/1/20 Port Link State Dupl Speed Trunk Tag Pvid Pri MAC Name 1/1/5 Disable None None None None No 888 0 28b3.7129.8e5e 1/1/6 Disable None None None None No 888 0 28b3.7129.8e5f 1/1/7 Disable None None None None No 888 0 28b3.7129.8e60 1/1/8 Disable None None None None No 888 0 28b3.7129.8e61 ... If unused ports are not disabled and assigned to an unused VLAN, this is a finding. |
| Fix Text (F-77684r1111012_fix) |
| Assign all switch ports not in use to an inactive VLAN. Create unused VLAN: 1. Configure the VLAN. ICX(config)#vlan 888 name Unused_ports 2. Add unused ports to VLAN. ICX(config-vlan-888)#untag ethernet 1/1/5 to 1/1/20 Added untagged port(s) ethernet 1/1/5 to 1/1/20 to port-vlan 888. 3. Shut down all unused ports. ICX(config)#interface ethernet 1/1/5 to 1/1/20 ICX(config)#interface ethernet 1/1/5 to 1/1/20 4. Disable unused ports. ICX(config-mif-1/1/5-1/1/20)#disable ICX(config-mif-1/1/5-1/1/20)# Alternative approach: 1. Configure default VLAN ID and view assigned ports. ICX(config)# default-vlan-id 4095 ICX(config)# show vlan 4095 Total PORT-VLAN entries: 20 Maximum PORT-VLAN entries: 1024 Legend: [Stk=Stack-Id, S=Slot] PORT-VLAN 4095, Name DEFAULT-VLAN, Priority level0, On Untagged Ports: (U1/M1) 5 6 7 8 9 10 11 12 13 14 15 16 Untagged Ports: (U1/M1) 17 18 19 20 Tagged Ports: None Mac-Vlan Ports: None Monitoring: Disabled 2. Disable displayed ports. ICX(config)# interface ethernet 1/1/5 to 1/1/20 ICX(config-mif-1/1/5-1/1/20)# disable |