Trunk - native VLAN question

Unanswered Question
Apr 24th, 2009

When I create a trunk I only allow the VLANs that should be allowed on the trunk.

Now, should I also allow the native vlan on the trunk??

I always configure trunks like this:

interface GigabitEthernet1/0/23

switchport trunk encapsulation dot1q

switchport trunk native vlan 800

switchport trunk allowed vlan 252

switchport mode trunk

Note native vlan not being allowed on trunk.

Then I came across this config:

interface GigabitEthernet1/0/1

switchport trunk encapsulation dot1q

switchport trunk native vlan 2050

switchport trunk allowed vlan 72,2050

switchport mode trunk

end

Note native VLAN 2050 also allowed on trunk.

What's right or wrong on these configs??

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Giuseppe Larosa Fri, 04/24/2009 - 04:22

Hello Alex,

both configurations are possible and correct.

Using a native vlan that is then not used is permitted and can provide some L2 security advantages this makes all traffic on the trunk ports tagged.

Another advantage is that you don't mind about native vlan mismatch if untagged frames are not allowed.

Another suggestion is to have a dedicated native vlan-id used on all trunks and never used on access ports to defeat double vlan hopping attacks.

We used first template in another customer and worked well.

It is more a question of choices.

Hope to help

Giuseppe

Giuseppe Larosa Fri, 04/24/2009 - 04:29

Hello Alex,

the first one with native vlan not permitted is more secure for the reasons explained in my first post

Hope to help

Giuseppe

Jon Marshall Fri, 04/24/2009 - 05:12

Alex

The native vlan is only used for backwards compatability with switches that do not understand 802.1q tagging.

So a 3rd option for you would be if all your switches understood 802.1q tagging, which they probably do, then you can tell the switch to tag all vlans including the native vlan, so in effect you no longer have a vlan that is untagged.

Jon

darkbeatzz Fri, 04/24/2009 - 05:29

Its good practice to create say VLAN 100 using it as the native vlan. then shut it down and make all trunk ports native vlan 100.

lamav Fri, 04/24/2009 - 08:01

Just my way of saying hello, buddy...its been a rough week for me. Hope yours is going well.

Jon Marshall Fri, 04/24/2009 - 08:05

"Just my way of saying hello, buddy"

I know, no offence taken as always :-). Sounds like i'm having a better week than you then !

AJAZ NAWAZ Thu, 06/11/2009 - 12:26

interface GigabitEthernet1/0/23

switchport trunk encapsulation dot1q

switchport trunk native vlan 800

switchport trunk allowed vlan 252

switchport mode trunk

Note native vlan not being allowed on trunk.

Then I came across this config:

interface GigabitEthernet1/0/1

switchport trunk encapsulation dot1q

switchport trunk native vlan 2050

switchport trunk allowed vlan 72,2050

switchport mode trunk

end

---------------------------------------

so the question is which one is more secure?

Well.., you can use a combination of both. Create a null vlan and exclude it from the allowed list. The problem with 'vlan dot1q tag native', is that it is a global command. In a production environment that change could be quite challenging to engineer without going through some hardships. It all depends on how many trunks, and how big/critical network you have.

Actions

This Discussion