Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Configure Unused Vlan as Native Vlan

Hi Everyone,

Can someone explain me benefit of configure unused vlan as native vlan in regard to security purposes?

Regards

MAhesh

1 ACCEPTED SOLUTION

Accepted Solutions
New Member

Configure Unused Vlan as Native Vlan

Here the good document on L2 Security -VLAN Security White Paper You can find answer on your question and many others there.

Lets consider this document and find answer on your question. There are two main reasons to take in account when choosing vlan to use as native:

1) Dont use vlan 1 as native because

The reason VLAN 1 became a special VLAN is that L2 devices needed to  have a default VLAN to assign to their ports, including their management  port(s). In addition to that, many L2 protocols such as CDP, PAgP, and  VTP needed to be sent on a specific VLAN on trunk links. For all these  purposes VLAN 1 was chosen.

As a consequence, VLAN 1 may sometimes end up unwisely spanning the  entire network if not appropriately pruned and, if its diameter is large  enough, the risk of instability can increase significantly. Besides the  practice of using a potentially omnipresent VLAN for management  purposes puts trusted devices to higher risk of security attacks from  untrusted devices that by misconfiguration or pure accident gain access  to VLAN 1 and try to exploit this unexpected security hole.

To redeem VLAN 1 from its bad reputation, a simple common-sense security  principle can be used: as a generic security rule the network  administrator should prune any VLAN, and in particular VLAN 1, from all the ports where that VLAN is not strictly needed.

2) Choose unused vlan as native to prevent vlan-hopping (double-encapsulated attack):

When double-encapsulated 802.1Q packets are injected into the network  from a device whose VLAN happens to be the native VLAN of a trunk, the  VLAN identification of those packets cannot be preserved from end to end  since the 802.1Q trunk would always modify the packets by stripping  their outer tag. After the external tag is removed, the internal tag  permanently becomes the packet's only VLAN identifier. Therefore, by  double-encapsulating packets with two different tags, traffic can be  made to hop across VLANs.

This scenario is to be considered a misconfiguration, since the 802.1Q  standard does not necessarily force the users to use the native VLAN in  these cases. As a matter of fact, the proper configuration that should  always be used is to clear the native VLAN from all 802.1Q trunks  (alternatively, setting them to 802.1q-all-tagged mode achieves the exact same result). In cases where the native VLAN cannot be cleared, then always pick an unused VLAN as native VLAN of all the trunks; don't use this VLAN for any other purpose.  Protocols like STP, DTP, and UDLD (check out [3]) should be the only  rightful users of the native VLAN and their traffic should be completely  isolated from any data packets.

Regards,

2 REPLIES
New Member

Configure Unused Vlan as Native Vlan

Here the good document on L2 Security -VLAN Security White Paper You can find answer on your question and many others there.

Lets consider this document and find answer on your question. There are two main reasons to take in account when choosing vlan to use as native:

1) Dont use vlan 1 as native because

The reason VLAN 1 became a special VLAN is that L2 devices needed to  have a default VLAN to assign to their ports, including their management  port(s). In addition to that, many L2 protocols such as CDP, PAgP, and  VTP needed to be sent on a specific VLAN on trunk links. For all these  purposes VLAN 1 was chosen.

As a consequence, VLAN 1 may sometimes end up unwisely spanning the  entire network if not appropriately pruned and, if its diameter is large  enough, the risk of instability can increase significantly. Besides the  practice of using a potentially omnipresent VLAN for management  purposes puts trusted devices to higher risk of security attacks from  untrusted devices that by misconfiguration or pure accident gain access  to VLAN 1 and try to exploit this unexpected security hole.

To redeem VLAN 1 from its bad reputation, a simple common-sense security  principle can be used: as a generic security rule the network  administrator should prune any VLAN, and in particular VLAN 1, from all the ports where that VLAN is not strictly needed.

2) Choose unused vlan as native to prevent vlan-hopping (double-encapsulated attack):

When double-encapsulated 802.1Q packets are injected into the network  from a device whose VLAN happens to be the native VLAN of a trunk, the  VLAN identification of those packets cannot be preserved from end to end  since the 802.1Q trunk would always modify the packets by stripping  their outer tag. After the external tag is removed, the internal tag  permanently becomes the packet's only VLAN identifier. Therefore, by  double-encapsulating packets with two different tags, traffic can be  made to hop across VLANs.

This scenario is to be considered a misconfiguration, since the 802.1Q  standard does not necessarily force the users to use the native VLAN in  these cases. As a matter of fact, the proper configuration that should  always be used is to clear the native VLAN from all 802.1Q trunks  (alternatively, setting them to 802.1q-all-tagged mode achieves the exact same result). In cases where the native VLAN cannot be cleared, then always pick an unused VLAN as native VLAN of all the trunks; don't use this VLAN for any other purpose.  Protocols like STP, DTP, and UDLD (check out [3]) should be the only  rightful users of the native VLAN and their traffic should be completely  isolated from any data packets.

Regards,

New Member

Configure Unused Vlan as Native Vlan

Hi AleXey,

Thanks for the info

Regards

MAhesh

995
Views
0
Helpful
2
Replies
CreatePlease login to create content