I was reviewing the document :
Regarding "Double-Encapsulated 802.1Q/Nested VLAN Attack", where the doument makes the recommendation to "clear the native VLAN from all 802.1Q trunks (alternatively, setting them to 802.1q-all-tagged mode achieves the exact same result). In cases where the native VLAN cannot be cleared, then always pick an unused VLAN as native VLAN of all the trunks; don't use this VLAN for any other purpose."
Looking at a 3750 stack, I have mutiple 802.1q trunks. I cannot see a way to either clear the native VLAN, or the set the "802.1q-all-tagged" mode. I can however, change the native VLAN to one that is not defined (is this the same as "unused" ?).
Switch1(config-if)#switchport trunk native vlan 99
VLAN id 99 not found in current VLAN configuration
VLAN id 99 not found in current VLAN database
Switch1#sh int trun
Port Mode Encapsulation Status Native vlan
Po10 on 802.1q trunking 99
Is this document/concern still valid and is the above a suitable way of dealing with this potential issue ?
Should VLAN 1 actually show any active ports under a "sh vlan" ? I have seen several commentments regarding "Don't use VLAN 1", but does these mean don't use this VLAN or production traffic, or that it should be removed from all ports.
The objective here is to reduce exposure to any type of compromise to VLAN seperation.