Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
397
Views
4
Helpful
2
Replies

VLAN 1 and services

michaelmcdaniel
Level 1
Level 1

‎06-15-2007 06:08 AM - edited ‎03-05-2019 04:45 PM

When it comes to information on the security of the default VLAN, everyone seems to have something to say. The biggest problem is, after awhile, all these opinions and rationale obfuscate the real security practices. Maybe I'm just burnt out on it and can't absorb the info like I should, but here are my questions:

1. The NSA switch security guide says to shutdown VLAN 1. Why should I do this as long as I, or any other admin for that matter, remember to assign all unused ports to a false VLAN (999 or so).

2. How does shutting down VLAN 1 affect the services that use it; VTP for instance?

3. Should VLAN 1 be pruned off trunk links or "allowed" on trunk links?

4. Should a different native VLAN be set for each trunk? (as specified in the NSA guide) -- And why?

5. Why do none of the guides specify that you just enable vlan 1 to be tagged by dot1q to counter VLAN hopping attacks? It seems no one actually does this?

Thanks folks, really. I'll look forward to your replies. This is the first post I've made on this site so perhaps I'll feel more comfortable posting after this!

Labels:
0 Helpful
2 Replies 2

Jon Marshall
Hall of Fame
Hall of Fame

‎06-15-2007 06:25 AM

Hi Michael

Yes there are many different opinions on the use of vlan 1. In will answer some of your questions directly and refer you to a very good Cisco paper on vlan security for the rest if you don't mind.

2) Shutting down vlan 1 does not stop PaGP, CDP or STP traffic being sent down the trunks.

3) Yes vlan should be pruned to reduce it's diameter as because all ports are by default assigned to vlan 1 there is a danger of this vlan spanning your entire switching infrastructure and introducing instabilities.

4) Yes it should for the same reasons as not to use vlan 1 in general ie. it is the default vlan on all switches. Even using a different native vlan does not eliminate all problems - see paper.

5) Not sure to be honest.

http://www.cisco.com/en/US/products/hw/switches/ps708/products_white_paper09186a008013159f.shtml

HTH

Jon

michaelmcdaniel
Level 1
Level 1
In response to Jon Marshall

‎06-15-2007 07:05 AM

Vent:

One minor issue I have with this guide is how it uses the term "prune" synonymously with "allow" when obviously pruning has a special meaning on Cisco devices.

Pruning and allowing VLANs on trunks shouldn't use the same term, plain and simple.

This could really confuse people.. cough

Edit: upon further investigation -- pruning is just an automatic method for allowing certain vlans across a trunk, therefore the term "prune" is indeed synonymous with allow. heh... I thought it was using some other method of restricting data from flowing to un-needed areas. It was more simple than I assumed.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card