VLAN 1 and services

Unanswered Question
Jun 15th, 2007

When it comes to information on the security of the default VLAN, everyone seems to have something to say. The biggest problem is, after awhile, all these opinions and rationale obfuscate the real security practices. Maybe I'm just burnt out on it and can't absorb the info like I should, but here are my questions:

1. The NSA switch security guide says to shutdown VLAN 1. Why should I do this as long as I, or any other admin for that matter, remember to assign all unused ports to a false VLAN (999 or so).

2. How does shutting down VLAN 1 affect the services that use it; VTP for instance?

3. Should VLAN 1 be pruned off trunk links or "allowed" on trunk links?

4. Should a different native VLAN be set for each trunk? (as specified in the NSA guide) -- And why?

5. Why do none of the guides specify that you just enable vlan 1 to be tagged by dot1q to counter VLAN hopping attacks? It seems no one actually does this?

Thanks folks, really. I'll look forward to your replies. This is the first post I've made on this site so perhaps I'll feel more comfortable posting after this!

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
Loading.
Jon Marshall Fri, 06/15/2007 - 06:25

Hi Michael

Yes there are many different opinions on the use of vlan 1. In will answer some of your questions directly and refer you to a very good Cisco paper on vlan security for the rest if you don't mind.

2) Shutting down vlan 1 does not stop PaGP, CDP or STP traffic being sent down the trunks.

3) Yes vlan should be pruned to reduce it's diameter as because all ports are by default assigned to vlan 1 there is a danger of this vlan spanning your entire switching infrastructure and introducing instabilities.

4) Yes it should for the same reasons as not to use vlan 1 in general ie. it is the default vlan on all switches. Even using a different native vlan does not eliminate all problems - see paper.

5) Not sure to be honest.

http://www.cisco.com/en/US/products/hw/switches/ps708/products_white_paper09186a008013159f.shtml

HTH

Jon

michaelmcdaniel Fri, 06/15/2007 - 07:05

Vent:

One minor issue I have with this guide is how it uses the term "prune" synonymously with "allow" when obviously pruning has a special meaning on Cisco devices.

Pruning and allowing VLANs on trunks shouldn't use the same term, plain and simple.

This could really confuse people.. cough

Edit: upon further investigation -- pruning is just an automatic method for allowing certain vlans across a trunk, therefore the term "prune" is indeed synonymous with allow. heh... I thought it was using some other method of restricting data from flowing to un-needed areas. It was more simple than I assumed.

Actions

This Discussion