Trunk - native VLAN question

opers13 · ‎04-24-2009

When I create a trunk I only allow the VLANs that should be allowed on the trunk.

Now, should I also allow the native vlan on the trunk??

I always configure trunks like this:

interface GigabitEthernet1/0/23

switchport trunk encapsulation dot1q

switchport trunk native vlan 800

switchport trunk allowed vlan 252

switchport mode trunk

Note native vlan not being allowed on trunk.

Then I came across this config:

interface GigabitEthernet1/0/1

switchport trunk encapsulation dot1q

switchport trunk native vlan 2050

switchport trunk allowed vlan 72,2050

switchport mode trunk

end

Note native VLAN 2050 also allowed on trunk.

What's right or wrong on these configs??

Giuseppe Larosa · ‎04-24-2009

Hello Alex,

both configurations are possible and correct.

Using a native vlan that is then not used is permitted and can provide some L2 security advantages this makes all traffic on the trunk ports tagged.

Another advantage is that you don't mind about native vlan mismatch if untagged frames are not allowed.

Another suggestion is to have a dedicated native vlan-id used on all trunks and never used on access ports to defeat double vlan hopping attacks.

We used first template in another customer and worked well.

It is more a question of choices.

Hope to help

Giuseppe

opers13 · ‎04-24-2009

which config is more secure?

Giuseppe Larosa · ‎04-24-2009

Hello Alex,

the first one with native vlan not permitted is more secure for the reasons explained in my first post

Hope to help

Giuseppe

Jon Marshall · ‎04-24-2009

Alex

The native vlan is only used for backwards compatability with switches that do not understand 802.1q tagging.

So a 3rd option for you would be if all your switches understood 802.1q tagging, which they probably do, then you can tell the switch to tag all vlans including the native vlan, so in effect you no longer have a vlan that is untagged.

Jon

darkbeatzz · ‎04-24-2009

Its good practice to create say VLAN 100 using it as the native vlan. then shut it down and make all trunk ports native vlan 100.

lamav · ‎04-24-2009

Alex:

Since Jon didn't finish explaining his solution (ehem), I will have to do it for him. ;-)

Here is a useful link that describes how to configure the native vlan to be tagged.

http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SXF/native/configuration/guide/dot1qtnl.html#wp1006255

HTH

Victor

Jon Marshall · ‎04-24-2009

"Since Jon didn't finish explaining his solution (ehem),"

:-)

lamav · ‎04-24-2009

Just my way of saying hello, buddy...its been a rough week for me. Hope yours is going well.

Jon Marshall · ‎04-24-2009

"Just my way of saying hello, buddy"

I know, no offence taken as always :-). Sounds like i'm having a better week than you then !

AJAZ NAWAZ · ‎06-11-2009

interface GigabitEthernet1/0/23

switchport trunk encapsulation dot1q

switchport trunk native vlan 800

switchport trunk allowed vlan 252

switchport mode trunk

Note native vlan not being allowed on trunk.

Then I came across this config:

interface GigabitEthernet1/0/1

switchport trunk encapsulation dot1q

switchport trunk native vlan 2050

switchport trunk allowed vlan 72,2050

switchport mode trunk

end

---------------------------------------

so the question is which one is more secure?

Well.., you can use a combination of both. Create a null vlan and exclude it from the allowed list. The problem with 'vlan dot1q tag native', is that it is a global command. In a production environment that change could be quite challenging to engineer without going through some hardships. It all depends on how many trunks, and how big/critical network you have.