The RUCKUS ICX switch must not use the default VLAN for management traffic.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-273691 | RCKS-L2S-000240 | SV-273691r1111060_rule | Medium |
| Description |
| Switches use the default VLAN (i.e., VLAN 1) for in-band management and to communicate with directly connected switches using Spanning-Tree Protocol (STP), Dynamic Trunking Protocol (DTP), VLAN Trunking Protocol (VTP), and Port Aggregation Protocol (PAgP)—all untagged traffic. Therefore, the default VLAN may unwisely span the entire network if not appropriately pruned. If its scope is large enough, the risk of compromise can increase significantly. |
| STIG | Date |
| RUCKUS ICX Layer 2 Switch Security Technical Implementation Guide | 2025-06-03 |
Details
| Check Text (C-77782r1110094_chk) |
| Review switch configuration to confirm the management VLAN is designated and is not VLAN 1. ! vlan 235 name mgmt-vlan tagged ethernet 1/2/1 ! If the management VLAN is the same as the default VLAN or VLAN 1, this is a finding. |
| Fix Text (F-77687r1110095_fix) |
| Configure a VLAN specifically for management use: device(config)# vlan 235 name mgmt-vlan device(config-vlan-235)# tag ethernet 1/2/1 device(config-vlan-235)# interface ve 235 device(config-vif-235)# ip addr x.x.x.x/x Note: For L2 images prior to release 10.0, the management VLAN can be configured per the example below. The default-gateway statement sets a metric of 1. device(config)# vlan 235 name mgmt-vlan device(config-vlan-235)# tag ethernet 1/2/1 device(config-vlan-235)# management-vlan device(config-vlan-235)# default-gateway x.x.x.x 1 device(config-vlan-235)# exit device(config)# ip addr x.x.x.x/x |