Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

About the Native Vlan and Management Vlan.

I wanted to know that Management vlan and Native vlan can be different vlan id or  both should be same vlan id. Why should not be native vlan 1.

2 REPLIES
Cisco Employee

The use of a native VLAN is

The use of a native VLAN is generally frowned upon now as there are some well known security exploits that leverage this untagged VLAN. Cisco often recommends setting the Native VLAN to an unused VLAN in your infrastructure in order to render it useless for attacks.

 

It is also recommended that you create a separate VLAN for your Management traffic and that this VLAN be tagged (therefore not a Native VLAN).

 

Native Vlan is the vlan which will be sent untagged even in Trunk links. Consider a Trunk link configured between two switches SWA and SWB, if a system in vlan1 of SWA is sending a frame via SWB, then this frame will be received as untagged by SWB, then switch B decides that the untagged frame is from native vlan 1 and handles accordingly. By default native vlan is 1, this can also be changed as per requirement.

Example: In the below figure if a IP phone and system are connected toa switch port as below, the the Phones will  send its frames tagged with vlan 10 where as the frames sent by system will be untagged. So here the the corresponding switch port should be configured as native vlan 20. So that it can recognise and handle the frames from system and IP phone properly.

 

aNative vlan.jpg

 

Management vlan is different, it means that this vlan will be used for management purposes like Logging into the switch for management, Monitoring the switch,collecting Syslog ans SNMP traps, etc will be done by management vlan IP. This also by default vlan 1 in cisco. So as Antony said the it is always a Best practice and security measure to not use the default vlan and use custom vlans.

 

Hope this helps !

Having the Native VLAN be

Having the Native VLAN be something other than one is to prevent security exploits such as double tagging as explained in the link below:

http://www.ccnpguide.com/understanding-vlan-hopping-attacks/

The Native vlan is just there to deal with untagged frames so its best practice to set this to something other than the default and also to change the management vlan on the switch to be something different.

It really depends on the scale and importance of the network in determining how far you want to go regarding security. You don't have to change the Native Vlan at all and the management Vlan can remain as Vlan 1 and the network will work absolutely fine. If however you are victim to an attack of some sort and your network is in a bank for example, it will have much more of an impact than if its your home network.

Hope this helps

92
Views
5
Helpful
2
Replies