impact of native vlna mismatch

Unanswered Question
Jul 28th, 2008
User Badges:

Hi,

I have 4500 switch at distribution level and one access switch 3750 is connected to it.

On my entire network vlan 1 is shut on every switches and Native vlan is 99.

During connection of second uplink to 4500 switch, I forgot to add native vlan command on access switch, so as by default it took vlan 1 as a native vlan.

Because of that I was not able to logging in to access switch and I observer that there was high CPU utilization of all the switches and topology change traps were observed for all the vlan.

As soon as I add native vlan 99 command in trunk, CPU utilization of all the switches came to normal.

I don't understand why native vlan mismatch affect the CPU utilization of my network switches. Please let me explain

Thanks


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3.3 (3 ratings)
Loading.
Jerry Ye Mon, 07/28/2008 - 10:33
User Badges:
  • Cisco Employee,

Hi,


With native vlan mismatch, you are have just created a spanning tree loop. Spanning tree loop will use up all the CPU for spanning tree calculation.


In order to prevent it, you can use loopguard to prevent it.


HTH,

jerry

gandhikunal Mon, 07/28/2008 - 21:26
User Badges:

Hi Jeye,

thanks for your prompt reply.


can you please brief how can I use loopguard to prevent this type of misconfiguration effect.


Thanks for your support.

guruprasadr Mon, 07/28/2008 - 23:27
User Badges:
  • Gold, 750 points or more

HI Gandhi, [Pls RATE if HELPS]


Precautions for the Use of VLAN 1


The reason VLAN 1 became a special VLAN is that L2 devices needed to have a default VLAN to assign to their ports, including their management port(s). In addition to that, many L2 protocols such as CDP, PAgP, and VTP needed to be sent on a specific VLAN on trunk links. For all these purposes VLAN 1 was chosen.


As a consequence, VLAN 1 may sometimes end up unwisely spanning the entire network if not appropriately pruned and, if its diameter is large enough, the risk of instability can increase significantly. Besides the practice of using a potentially omnipresent VLAN for management purposes puts trusted devices to higher risk of security attacks from untrusted devices that by misconfiguration or pure accident gain access to VLAN 1 and try to exploit this unexpected security hole.


To redeem VLAN 1 from its bad reputation, a simple common-sense security principle can be used: as a generic security rule the network administrator should prune any VLAN, and in particular VLAN 1, from all the ports where that VLAN is not strictly needed.


Therefore, with regard to VLAN 1, the above rule simply translates into the recommendations to:


•Not use VLAN 1 for inband management traffic and pick a different, specially dedicated VLAN that keeps management traffic separate from user data and protocol traffic.


•Prune VLAN 1 from all the trunks and from all the access ports that don't require it (including not connected and shutdown ports).


Similarly, the above rule applied to the management VLAN reads:


•Don't configure the management VLAN on any trunk or access port that doesn't require it (including not connected and shutdown ports).


•For foolproof security, when feasible, prefer out-of-band management to inband management.

As a general design rule it is desirable to "prune" unnecessary traffic from particular VLANs. For example, it is often desirable to apply VLAN ACLs and/or IP filters to the traffic carried in the management VLAN to prevent all telnet connections and allow only SSH sessions. Or it may be desirable to apply QoS ACLs to rate limit the maximum amount of ping traffic allowed.


If VLANs other than VLAN 1 or the management VLAN represent a security concern, then automatic or manual pruning should be applied as well. In particular, configuring VTP in transparent or off mode and doing manual pruning of VLANs is commonly considered the most effective method to exert a more strict level of control over a VLAN-based network.



PLS RATE if HELPS


Best Regards,


Guru Prasad R


gandhikunal Tue, 07/29/2008 - 00:01
User Badges:

Hi Guru,

Thnks for your reply....

I understand from your reply that Vlan 1 should be shut and not safe to use for management purpose because of security reason.

It's grateful if some one explain why stp loop occure in

my network, vlan 1 is shut in my entire network including access switch where I misconfigured native vlan as default.


Thanks...


Jerry Ye Tue, 07/29/2008 - 05:10
User Badges:
  • Cisco Employee,

Hi, VLAN1 cannot be remove from the switch configuration. However, you can shut down "interface VLAN1", which is L3 interface. However, on the L2 side, which STP loop is occuring, VLAN1 still presist.


In order to prevent VLAN1 going through the trunk ports, you can prune VLAN 1 by using the following IOS command "switchport trunk allowed vlan x,y-z".


HTH,

jerry

gandhikunal Fri, 08/08/2008 - 00:04
User Badges:

Thanks, now the pitcher is clear.

Though Vlan 1 is shut in network only interface is shut not a vlan.

So because of my miss configuration, there was a STP loop occurred in vlan 1 and CPU utilization of switches has been increased drastically because of STP calculation.

Please correct if I am wrong.


Actions

This Discussion