Free DISA STIG and SRG Library | Vaulted


The HP FlexFabric Switch must have the native VLAN assigned to a VLAN ID other than the default VLAN ID for all 802.1q trunk links.

Finding ID
Rule ID
Cat II
Group Title
Target Key

VLAN hopping can be initiated by an attacker who has access to a switch port belonging to the same VLAN as the native VLAN of the trunk link connecting to another switch that the victim is connected to. If the attacker knows the victim’s MAC address, it can forge a frame with two 802.1q tags and a layer 2 header with the destination address of the victim. Since the frame will ingress the switch from a port belonging to its native VLAN, the trunk port connecting to the victim’s switch will simply remove the outer tag because native VLAN traffic is to be untagged. The switch will forward the frame on to the trunk link unaware of the inner tag with a VLAN ID of which the victim’s switch port is a member.

Fix Text

Configure the ID of the native vlan on all trunk port(s). [HP-GigabitEthernet1/0/13] undo port trunk permit vlan 1 [HP-GigabitEthernet1/0/13]port trunk pvid vlan 4017

Check Content

Review the HP FlexFabric Switch configurations and examine all trunk links. Verify the native VLAN has been configured to a VLAN ID other than the default VLAN 1. Connect to switch via console or SSH. <HP> display current interface Bridge-Aggregation # interface Bridge-Aggregation1 description To-DistroEast(10G) port link-type trunk undo port trunk permit vlan 1 port trunk permit vlan 2100 to 2102 4017 port trunk pvid vlan 4017 link-aggregation mode dynamic If any of the trunk links are assigned to VLAN 1, this is a finding.