STIGhubSTIGhub
STIGsRMF ControlsCompare
STIGhub— A free STIG search and compliance tool·STIGs updated 3 days ago
Powered by Pylon·Privacy·Terms·© 2026 Beacon Cloud Solutions, Inc.
← Back to Layer 2 Switch Security Requirements Guide

V-206666

CAT II (Medium)

The layer 2 switch must have all disabled switch ports assigned to an unused VLAN.

Rule ID

SV-206666r385561_rule

STIG

Layer 2 Switch Security Requirements Guide

Version

V3R4

CCIs

CCI-000366

Discussion

It is possible that a disabled port that is assigned to a user or management VLAN becomes enabled by accident or by an attacker and as a result gains access to that VLAN as a member.

Check Content

Review the switch configurations and examine all access switch ports.  Each access switch port not in use should have membership to an inactive VLAN that is not used for any purpose and is not allowed on any trunk links.

If there are any access switch ports not in use and not in an inactive VLAN, this is a finding.

Note: Switch ports configured for 802.1x are exempt from this requirement.

Fix Text

Assign all switch ports not in use to an inactive VLAN.

Note: Switch ports configured for 802.1x are exempt from this requirement.