Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

mgmt vlan as native vlan, good design?

Ok, Ive been reading that vlan 1 is a security issue and you should not use it. So Im moving all my switchports to another vlan. Im also going to use vlan 14 for my network and system infrastructure devices, ie switches, ap's, servers, and printers. In order to manage my switches and ap's I have to set the native vlan as 14, for the mgmt ip. Is this a security concern? The way I read, untagged traffic flows on the native vlan, couldnt a hacker craft a packet then or vlan hop? If so, how would I keep my switches and ap's in a secure vlan for mgmt, since they use the native for the mgmt ip? Just to add, I have my users split on other vlans and only allow certain vlans on the trunks. Thanks for any comments.

7 REPLIES
Purple

Re: mgmt vlan as native vlan, good design?

I don't see it as a problem . If you are worried about it then add acl's on your vty lines and possibly consider useing SSH instead of telnet for added security .

New Member

Re: mgmt vlan as native vlan, good design?

Switches and APs do not use the native VLAN for the management VLAN and the management VLAN can be any VLAN. In fact, it is not good design practice to have the management VLAN the same as the native VLAN. Also, I always recommend leaving the native VLAN at default (VLAN 1) and then use another VLAN(s) for device management.

-Mark

New Member

Re: mgmt vlan as native vlan, good design?

Good points. But for some reason, I may be missing something here, when I set the ip on my aironet 1200s, that particular vlan has to be set as native on both ends. Is this correct, if not, what am I doing wrong. I have vlan 10 (open) - 10.10.10.0, vlan 12 (closed)- 10.10.12.0, vlan 14 (mgmt) - 10.10.14.0. Like I say, and I may be wrong, which ever vlan I set as native, the ap ip has to be in that subnet and vlan. Thanks again.

Gold

Re: mgmt vlan as native vlan, good design?

"Switches and APs do not use the native VLAN for the management VLAN"...?

Purple

Re: mgmt vlan as native vlan, good design?

If your ap's have to be set in the native vlan then your switch and ap setup must be set to trunk multiple vlans down to the ap's . The native vlan is only relavent in a trunking scenario in which case yes the native vlan must match on both ends on the link to work correctly.

Re: mgmt vlan as native vlan, good design?

Hi,

but the latest cisco's Best Practice recomends to remove the VLAN1 from all trunks and not to use VLAN1 as the native vlan,

for native VLANs should be used some "unused" VLAN.

New Member

Re: mgmt vlan as native vlan, good design?

Well I messed around, and could not get my aironets mgmt ip on a separate vlan than the native. Well I could on the aironet side, but when I change the native vlan on the catalyst 4503 trunk to match I lost connection.

ie. aironet ip setup vlan 14 10.10.14.4 w vlan 2 set as native, catalyst port native 14 - I could still access the aironet but when changed to native 2 on the catalyst port I would lose connection. Also, all vlans were allowed. This doesnt make any sense does it?

237
Views
0
Helpful
7
Replies