Forescout's "Assign to VLAN" action modifies the live running-config of a network switch. To revert this change, Forescout reads and internally saves the port's original configuration from the running-config before applying the action. However, the running-config is dynamic. If any subsequent changes are made to that port's configuration (by an administrator or an automated process) while the action is active, the state saved by Forescout becomes outdated. A policy that records the original VLAN as a persistent host property creates a reliable source of truth, ensuring the device can be correctly restored to its original network segment regardless of interim changes to the switch's running-config.

A. Forescout interacts with the live running-config for real-time port changes, not the startup-config, which is only loaded on boot.

B. Saving the configuration (copy run start) does not alter the running-config; it merely backs it up to the startup-config.

C. This is partially correct, but "any changes" is more accurate as modifications can also come from automated scripts or other network management systems, not just administrators.

E. This is incorrect for two reasons: Forescout uses the running-config, and the problematic action is changing the config, not saving it.

1. Forescout Administration Guide, Version 8.2.2, Page 489, "Assign to VLAN": This section describes the action, noting that Forescout applies changes to the switch. The guide implicitly supports the fact that these are live configuration changes.

2. Forescout eyeExtend for Switches Configuration Guide, Version 2.1, Page 19, "How the Switch Plugin Works": This document states, "The Switch Plugin communicates with network switches to get running configuration information... and to apply actions that change the switch configuration." This explicitly confirms that Forescout reads from and writes to the running-config.

3. Forescout Administration Guide, Version 8.2, "Actions" chapter, "Reverting Actions" section: The documentation explains that when an action is canceled, the original configuration is restored. This highlights the mechanism where an initial state is saved. The vulnerability arises because this saved state does not account for out-of-band changes to the running-config that may occur before the action is reverted.