Home/Resources/Agents/Switch Integration & VLAN Topology
Network & Boundary

Switch Integration & VLAN Topology

Replaces inferred VLAN boundaries with authoritative ones the assessor cannot argue with.

Covered practices · NIST SP 800-171 Rev 2
3.13.1Boundary protectionPrimary3.13.6Deny by default, permit by exceptionPrimary3.13.11FIPS-validated cryptography3.13.3Separation of system management3.1.1Limit access to authorized users
4+
Switch vendors integrated, plus generic SNMP fallback

The problem

Without switch access, network segmentation findings are educated guesses. A printer on the same /24 as a workstation might or might not be on the same VLAN. A hardware refresh that left a host on the wrong VLAN looks identical to one that did not. The assessor asks for the switch config, the contractor cannot produce a definitive answer in the timeframe required, and the finding stands at full deduction value.

With switch access, the same questions have one-sentence answers. The VLAN table maps every port to a VLAN. The CAM table maps every MAC to a port. Cross-referencing the network scanner's discovered hosts against the CAM table yields each host's actual VLAN, printer, server, OT controller, every one of them. Trunk port configurations expose whether segmentation is enforced at the boundary or whether 1 through 4094 is allowed on every trunk.

SNMP v2c with the public community string is itself a finding, since the switch configuration is readable to anyone on the network. SNMP v3 with MD5 auth or DES privacy fails 3.13.11 on the management plane outright. The integration audits its own connection method while it gathers topology data, so the agent never becomes a finding the assessor records.

What CMMC requires

NIST SP 800-171 Rev 2 controls this agent verifies. Primary mappings drive the gap assessment; secondary mappings provide supporting evidence in the SSP.

Primary mapping
NIST 3.13.1Boundary protection

Provides authoritative VLAN boundaries rather than inferred ones. Trunk-port findings expose where the boundary protection mechanism is defined but not actually enforced.

Read in NIST 800-171 r2
NIST 3.13.6Deny by default, permit by exception

The VLAN table and CAM table together produce the authoritative permit-list. Unnamed VLANs and unexpected hosts are exceptions never documented or reviewed.

Read in NIST 800-171 r2
Secondary mapping
NIST 3.13.11FIPS-validated cryptography

Audits the management channel to the switch,SNMP v3 with MD5 or DES uses non-FIPS algorithms on the channel that carries CUI boundary configuration.

Read in NIST 800-171 r2
NIST 3.13.3Separation of system management

Confirms,definitively, from the switch's own data,when printers, OT devices, or guest devices share a VLAN with CUI hosts.

Read in NIST 800-171 r2
NIST 3.1.1Limit access to authorized users

SNMP v2c with the public community grants unauthenticated read access to switch configuration to every host on the network.

Read in NIST 800-171 r2

How it works

Per-platform detection logic. The agent runs unprivileged where possible and falls back gracefully when raw access is unavailable.

Linux

Listens passively for LLDP and CDP frames for 60 seconds with raw socket access (CAP_NET_RAW). Walks Q-BRIDGE-MIB (1.3.6.1.2.1.17.7.1.4.3) for VLAN tables and BRIDGE-MIB (1.3.6.1.2.1.17.4.3.1 / 1.3.6.1.2.1.17.7.1.2.2) for CAM table data via SNMP v2c or v3. Falls back to SSH with vendor-specific commands: show vlan brief / show mac address-table on Cisco IOS, show vlans / show ethernet-switching table on JunOS, show vlans / show mac-address on HP-Aruba, and mca-dump on UniFi.

Windows

Uses Windows raw socket APIs (Npcap) for LLDP/CDP capture across each configured subnet. SNMP and SSH paths work the same way as Linux against the same MIB tree, with credentials stored in Windows Credential Manager through the system keychain abstraction. No plaintext credentials touch disk at any point.

macOS

macOS Keychain stores switch credentials transparently. LLDP capture requires root for raw socket access, with the same explicit runtime warning as the network scanner if elevation is unavailable. SNMP and SSH paths work fully unprivileged so most of the audit completes without elevation.

What it finds

Concrete findings written to the assessor's mental model,not abstract categories. Severity drives POA&M priority and SPRS deduction.

  • CRITICAL
    OT device MAC on CUI VLAN
    Industrial controller's MAC OUI matches a known OT vendor and the CAM table places it on the same VLAN as a CUI server. Network segmentation is not enforced where it must be.
  • HIGH
    Trunk port allows VLANs 1-4094
    Trunk port at the CUI boundary has no VLAN restriction,segmentation is defined but not enforced. Any VLAN can traverse the trunk, including ones that should not cross the boundary.
  • HIGH
    Printer VLAN matches CUI host VLAN
    Switch CAM table confirms the printer and a CUI server are on the same VLAN. No longer a heuristic,definitive 3.13.3 finding.
  • HIGH
    SNMP v2c public community responding
    Switch configuration is readable by any host on the network. The configuration that enforces the CUI boundary is itself unprotected.
  • HIGH
    SNMP v3 using DES privacy
    Switch management channel uses non-FIPS-approved cipher. Configuration data,including VLAN assignments,transits a channel that does not protect it under 3.13.11.
  • MEDIUM
    Unnamed VLAN exists on switch
    VLAN ID configured with no name set. May be a forgotten segment from a previous deployment,every VLAN should be intentional and documented.
SPRS impact

Switch-level findings convert heuristic 3.13.1 (5-point) and 3.13.3 (3-point) findings into definitive ones, which is what the assessor will write down regardless of contractor explanation. Trunk-port misconfigurations alone hit 3.13.1 (5 points) and 3.13.2 (3 points). SNMP v3 with non-FIPS auth or privacy adds 3.13.11 (5 points) on the management plane. The combined exposure for an unsegmented OT-on-CUI environment is routinely 13+ points across three controls, and authoritative VLAN data is the only way to argue any of those findings down.

How it hooks into the platform

With switch credentials registered once in the platform's keychain, Tolerance polls VLAN and CAM tables on a cadence and merges them with network-scanner output. You choose whether the switch dump and merged topology stay on-prem or sync up. VLAN data renders into the SSP network diagram as Mermaid subgraph blocks, so the assessor sees actual VLANs rather than subnets labeled VLAN. Trunk configuration appears in the 3.13.1 boundary narrative; POA&M items reference the switch port and VLAN ID. New VLANs or hosts moving between VLANs alert on the next poll.

How we know it's working

Acceptance criteria from the engineering spec,what the agent must do to ship.

  • Pulls VLAN and CAM data via SNMP v2c, SNMP v3, or vendor SSH
  • Parses Cisco IOS, JunOS, HP-Aruba, and UniFi command output natively
  • Captures LLDP and CDP frames passively across configured subnets
  • Returns definitive printer-on-CUI-VLAN findings when switch data is present
  • Always flags trunk ports with all VLANs (1-4094) permitted as findings
  • Stores credentials only in the system keychain, never on disk
  • Degrades gracefully within 30 seconds of any SNMP or SSH timeout
Other agents in Network & Boundary
Network & Boundary

Network Scanner & CUI Topology Mapper

Replaces the SSP boundary diagram drawn from memory with one the assessor will actually accept.

Network & Boundary

Wireless Security Scanner

Catches the evil-twin AP and the WPA2-PSK corporate SSID before the attacker in the parking lot does.

Run this agent against your environment.

Book a 30-minute scoping call. We'll deploy the agent on your systems and walk through the findings together.

Book a Scoping Call →