cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
800
Views
0
Helpful
7
Replies

mgmt vlan as native vlan, good design?

rhopkins_nci
Level 1
Level 1

Ok, Ive been reading that vlan 1 is a security issue and you should not use it. So Im moving all my switchports to another vlan. Im also going to use vlan 14 for my network and system infrastructure devices, ie switches, ap's, servers, and printers. In order to manage my switches and ap's I have to set the native vlan as 14, for the mgmt ip. Is this a security concern? The way I read, untagged traffic flows on the native vlan, couldnt a hacker craft a packet then or vlan hop? If so, how would I keep my switches and ap's in a secure vlan for mgmt, since they use the native for the mgmt ip? Just to add, I have my users split on other vlans and only allow certain vlans on the trunks. Thanks for any comments.

7 Replies 7

glen.grant
VIP Alumni
VIP Alumni

I don't see it as a problem . If you are worried about it then add acl's on your vty lines and possibly consider useing SSH instead of telnet for added security .

m.mcconnell
Level 1
Level 1

Switches and APs do not use the native VLAN for the management VLAN and the management VLAN can be any VLAN. In fact, it is not good design practice to have the management VLAN the same as the native VLAN. Also, I always recommend leaving the native VLAN at default (VLAN 1) and then use another VLAN(s) for device management.

-Mark

Good points. But for some reason, I may be missing something here, when I set the ip on my aironet 1200s, that particular vlan has to be set as native on both ends. Is this correct, if not, what am I doing wrong. I have vlan 10 (open) - 10.10.10.0, vlan 12 (closed)- 10.10.12.0, vlan 14 (mgmt) - 10.10.14.0. Like I say, and I may be wrong, which ever vlan I set as native, the ap ip has to be in that subnet and vlan. Thanks again.

"Switches and APs do not use the native VLAN for the management VLAN"...?

If your ap's have to be set in the native vlan then your switch and ap setup must be set to trunk multiple vlans down to the ap's . The native vlan is only relavent in a trunking scenario in which case yes the native vlan must match on both ends on the link to work correctly.

Hi,

but the latest cisco's Best Practice recomends to remove the VLAN1 from all trunks and not to use VLAN1 as the native vlan,

for native VLANs should be used some "unused" VLAN.

rhopkins_nci
Level 1
Level 1

Well I messed around, and could not get my aironets mgmt ip on a separate vlan than the native. Well I could on the aironet side, but when I change the native vlan on the catalyst 4503 trunk to match I lost connection.

ie. aironet ip setup vlan 14 10.10.14.4 w vlan 2 set as native, catalyst port native 14 - I could still access the aironet but when changed to native 2 on the catalyst port I would lose connection. Also, all vlans were allowed. This doesnt make any sense does it?

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco