Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations IamaSherpa on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Native VLAN

Status
Not open for further replies.

Kevinillingw

Technical User
Aug 2, 2004
15
GB
Guys

My proposed VLAN is below

1 Disable
2 User VLAN
3 Voice VLAN
30 Factory VLAN
60 Management VLAN

In this scenario which should be the native VLAN on the switches ? I am guessing 2 (as it my main vlan) as if devices are behind hubs this is where untagged traffic gets sent ?
 
depends...
if you want security - native vlan should be a black hole that is not used in any of your actual work...
actually that is it.. I dont see a benefit to be honest on having one of your 'production' vlans as a native one.. it takes less time to type 'swit tru all vlan add xxx' since you are already adding SOME vlans to the trunk anyways..

your users do not have to trunk up..im assuming they are using PC/workstations.. so they will always be an access port.
the trunks carrying data can tag and untag all your vlans so there is no need to have a 'production' vlan as a native one.

having your native be a vlan you dont use stops some attacks such as double tagging vlan hopping...




We must go always forward, not backward
always up, not down and always twirling twirling towards infinity.
 
Cisco design best practises say each 802.1q trunk should have its own unique native VLAN - so switch 1 to switch 2 trunk will use 3000, switch 1 to switch 3 will use 3001 etc. You should also only allow the required VLANs on each trunk and exclude all others - even the native VLAN -
Code:
interface GigabitEthernet0/23
 switchport access vlan 3999
 switchport trunk encapsulation dot1q
 switchport trunk native vlan 3999
 switchport trunk allowed vlan 300,305,310
 switchport mode trunk
 switchport nonegotiate

Andy
 
Depends how paranoid you are. It's all about covering your butt.
Personally, my thinking is that for only a very slight bit of extra work you can follow ADB100's suggestion and later on down the track anybody else looking at your configurations will see you've done a professional job, and nobody's going to badmouth you if some sort of VLAN-hopping security incident takes place.
 
yes Vince ... what ADB100 said..

We must go always forward, not backward
always up, not down and always twirling twirling towards infinity.
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top