04-24-2009 04:02 AM - edited 03-06-2019 05:22 AM
When I create a trunk I only allow the VLANs that should be allowed on the trunk.
Now, should I also allow the native vlan on the trunk??
I always configure trunks like this:
interface GigabitEthernet1/0/23
switchport trunk encapsulation dot1q
switchport trunk native vlan 800
switchport trunk allowed vlan 252
switchport mode trunk
Note native vlan not being allowed on trunk.
Then I came across this config:
interface GigabitEthernet1/0/1
switchport trunk encapsulation dot1q
switchport trunk native vlan 2050
switchport trunk allowed vlan 72,2050
switchport mode trunk
end
Note native VLAN 2050 also allowed on trunk.
What's right or wrong on these configs??
04-24-2009 04:22 AM
Hello Alex,
both configurations are possible and correct.
Using a native vlan that is then not used is permitted and can provide some L2 security advantages this makes all traffic on the trunk ports tagged.
Another advantage is that you don't mind about native vlan mismatch if untagged frames are not allowed.
Another suggestion is to have a dedicated native vlan-id used on all trunks and never used on access ports to defeat double vlan hopping attacks.
We used first template in another customer and worked well.
It is more a question of choices.
Hope to help
Giuseppe
04-24-2009 04:27 AM
which config is more secure?
04-24-2009 04:29 AM
Hello Alex,
the first one with native vlan not permitted is more secure for the reasons explained in my first post
Hope to help
Giuseppe
04-24-2009 05:12 AM
Alex
The native vlan is only used for backwards compatability with switches that do not understand 802.1q tagging.
So a 3rd option for you would be if all your switches understood 802.1q tagging, which they probably do, then you can tell the switch to tag all vlans including the native vlan, so in effect you no longer have a vlan that is untagged.
Jon
04-24-2009 05:29 AM
Its good practice to create say VLAN 100 using it as the native vlan. then shut it down and make all trunk ports native vlan 100.
04-24-2009 07:26 AM
Alex:
Since Jon didn't finish explaining his solution (ehem), I will have to do it for him. ;-)
Here is a useful link that describes how to configure the native vlan to be tagged.
HTH
Victor
04-24-2009 07:29 AM
"Since Jon didn't finish explaining his solution (ehem),"
:-)
04-24-2009 08:01 AM
Just my way of saying hello, buddy...its been a rough week for me. Hope yours is going well.
04-24-2009 08:05 AM
"Just my way of saying hello, buddy"
I know, no offence taken as always :-). Sounds like i'm having a better week than you then !
06-11-2009 12:26 PM
interface GigabitEthernet1/0/23
switchport trunk encapsulation dot1q
switchport trunk native vlan 800
switchport trunk allowed vlan 252
switchport mode trunk
Note native vlan not being allowed on trunk.
Then I came across this config:
interface GigabitEthernet1/0/1
switchport trunk encapsulation dot1q
switchport trunk native vlan 2050
switchport trunk allowed vlan 72,2050
switchport mode trunk
end
---------------------------------------
so the question is which one is more secure?
Well.., you can use a combination of both. Create a null vlan and exclude it from the allowed list. The problem with 'vlan dot1q tag native', is that it is a global command. In a production environment that change could be quite challenging to engineer without going through some hardships. It all depends on how many trunks, and how big/critical network you have.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide