A common isue I run across is that engineers will put (per Jons VLANs), 998 (unused ports VLAN) and 999 (the native vlan) on the trunk itself. There is no benefit to doing this and it should be removed from the trunks for additional security.

Jon,

A very nice and insightful reply!

Usually when I am asked about the native VLAN, my first words are that "in future, the concept of native VLAN will be regarded as one of the greatest networkers' mistakes..." Anyway, what I recommend is something very similar to what you are proposing - to create a "parking" VLAN to hold all the unused ports, possibly even putting it into locally shutdown/VTP suspended state.

However, I personally do not recommend changing the native VLAN on trunks. I do not see a real value in it - if the VLAN 1 is unused by access ports (which it should be by virtue of placing all access ports into the parking VLAN), the option of VLAN hopping from VLAN 1 to another VLAN is no longer an issue. What is then the benefit of changing the native VLAN on trunks?

I am looking forward to reading your ideas!

Best regards,

Peter

paluchpeter wrote:
Jon,
A very nice and insightful reply!
Usually when I am asked about the native VLAN, my first words are that "in future, the concept of native VLAN will be regarded as one of the greatest networkers' mistakes..."  Anyway, what I recommend is something very similar to what you are proposing - to create a "parking" VLAN to hold all the unused ports, possibly even putting it into locally shutdown/VTP suspended state.
However, I personally do not recommend changing the native VLAN on trunks. I do not see a real value in it - if the VLAN 1 is unused by access ports (which it should be by virtue of placing all access ports into the parking VLAN), the option of VLAN hopping from VLAN 1 to another VLAN is no longer an issue. What is then the benefit of changing the native VLAN on trunks?
I am looking forward to reading your ideas!
Best regards,
Peter

Peter

In most situations it's actually better to just tag the native vlan as well which is quite possible most of the time since in a modern Cisco network all switches will understand 802.1Q.  This would defeat vlan hopping because the switch would not need to remove the native vlan tag by default.

However most people don't do this as far as i know. So the next best thing is to change the native vlan. Now i agree wholeheartedly that if you have changed all the unused ports to a "parking" vlan then there is limited use in doing this but it's just another failsafe. And i always give that advice simply because -

1) mistakes can be made and switches added to the network without reallocating ports into the "parking" vlan. And that's the fundamental problem. All ports by default are in vlan 1 and the native vlan is vlan 1. Vlan 1 is just used too much. I can understand why ie. it does give some element of plug and play but these days it is necessary to secure against vlan 1 on your switches.

2) because vlan 1 is used so much you often find that people have networks where they can change the native vlan but they cannot stop using vlan 1 at least not without a significant redesign/configuration effort. But changing the native vlan does give some additional level of protection.

I guess it boils down to security in layers, trying to minimise the effects of a misconfiguration by using all tools available.

Jon

Hi Jon,

Thank you very much for your response.

Technically, I agree with everything you wrote. I would say that you seem to make your systems more foolproof by layering several measures that perhaps aren't strictly required but which make the impact of a potential issue less serious. I am often very strongly attracted towards minimalistic configurations - configuring only what is necessary and understanding the reasons to do it this or that way, not slapping dozens of commands "just to be sure", as often seen.

Probably the best option would be to tag all VLANs including the native VLAN, effectively eliminating its concept. However, such option is, as far as I know, available only on 3560 and higher/newer. For 2950/2960 access switches, this does not seem to be an option, unfortunately.

I am slightly uneasy about changing the native VLAN on trunks because of intricate and unclear interdependencies between the native VLAN and several service protocols running on a trunk link (STP, CDP, DTP, VTP, LOOP, PAgP, LACP). Some of them are tagged with all VLANs they run in (the STP), some of them are staunchly in VLAN 1 (i.e. they are untagged when the native VLAN  1, and are tagged with VID=1 if the native VLAN has been changed) and other run untagged no matter what native VLAN is configured on a trunk. I was never quite able to remember how are these individual protocols exactly tagged, and also I was never quite sure what will happen if the native VLAN is unallowed on a trunk. I have found these details difficult to grasp and I somehow expected that my students and network engineers out in the field may consider them to be even more difficult. For me, a profound understanding of what is being configured and what are its consequences is of paramount importance. Perhaps this is what is behind my reluctance to go over trunks and change their native VLANs. I admit, that is hardly a technical reason on my part.

Best regards,

Peter

Peter

not slapping dozens of commands "just to be sure", as often seen. - yep, that's me, i just slap on any old command

Seriously though your point is well taken and i guess it depends on the environments you work in. If i could guarantee that all ports were allocated to the "parking" vlan every time then great but unfortunately networks are configured by humans and they make mistakes so an additional layer of security is useful to me.

As for tagging control protocols, i remember doing a lot of reading and testing a while back for this.

Of the major control protocols CDP/STP/PaGP/DTP/VTP the odd one out is DTP if i remember correctly. Obviously STP is a little different because of PVST+ but the other protocols always use vlan 1. If the native vlan is changed then they still use vlan 1 but their packets are tagged.

DTP always uses the native vlan. So if you change the native vlan to 999 then DTP uses vlan 999.

Both vlan 1 and the native vlan can be cleared off trunks and the control protocols listed above will still work.

Obviously that testing was done a while back and it may well be that some switches exhibit different behaviour these days.

Edit - forgot to say. Thank you for information regarding 2950/2960 switches and tagging the native vlan. I was under the impression that you could tag the native vlan on all Cisco switches.

Jon

Hi Jon,

yep, that's me, i just slap on any old command 

I hope I did not offend you. I certainly did not mean it. I am truly sorry if I said something inappropriate.

When I attended my BCMSN training I spent one evening sniffing a trunking port to see how are the individual control protocols tagged. I remember the DTP being untagged all the time... and I have the feeling that the LOOP frames are also untagged. Nevertheless, I should spend another evening refreshing and confirming that

Regarding disabling the VLAN1 on trunks - if I am not mistaken it can be done with recent IOSes but again, I have a feeling that older 2950/3550 switches did not allow you to do that. But at least one can see that the possibilities are indeed improving

Best regards,

Peter

paluchpeter wrote:
Hi Jon,
yep, that's me, i just slap on any old command 
I hope I did not offend you. I certainly did not mean it. I am truly sorry if I said something inappropriate.
When I attended my BCMSN training I spent one evening sniffing a trunking port to see how are the individual control protocols tagged. I remember the DTP being untagged all the time... and I have the feeling that the LOOP frames are also untagged. Nevertheless, I should spend another evening refreshing and confirming that 
Regarding disabling the VLAN1 on trunks - if I am not mistaken it can be done with recent IOSes but again, I have a feeling that older 2950/3550 switches did not allow you to do that. But at least one can see that the possibilities are indeed improving 
Best regards,
Peter

Peter

No offence taken and absolutely no need to apologise, i was just being a bit flippant

I always try to keep learning and these sort of threads help to clarify things for me as well as, hopefully, other people reading them.

Jon

Hi Peter,

I agree totally!

IMHO, the whole native VLAN and dynamic trunking concept brought so many confusions and problems that I wish Cisco never invented it :-((

BR,

Milan

Hi Milan,

Thank you for your kind words!

Best regards,

Peter

Hi Peter,

well, my words are not so kind to Cisco :-(

IMHO, they should admit native VLAN, dynamic trunking and VTP are "blind alleys" and remove those artificial features from IOS or make them non-default at least!

BR,

Milan

Hello Milan,

I am not quite sure if the native VLAN concept is a Cisco invention. I have a feeling that it is also considered in the IEEE 802.1Q standard - I am not quite sure about that but I know that the term itself, native VLAN, is not used in the standard. That being said, I do not see a real usability for the native VLAN concept. Backward compatibility with non-802.1Q devices connected to trunks? That's a complete nonsense. Such devices by their very definition do not understand VLANs and are always members of a single VLAN only, and this can be - and should be - dealt with using access ports.

The DTP itself has little practical meaning in my opinion. It is more dangerous than useful, its real usability can be appreciated only when initially setting up a network and the recommended best practice is having it deactivated, with all port modes set statically.

Regarding the VTP, I am not so dismissive. The idea of VTP itself is very good. If I were to maintain a network of 10 or more switches with dozens of VLANs, then manually taking care of consistent VLAN databases on all switches would be a daunting task. Yes, the VTP has been implemented very naively, with all the "wonderful" side effects (that a VTP Client with a higher revision number can overwrite the VLAN database in the entire VTP domain and possibly some others) but the motivation to have and run the VTP is valid. After all, the IEEE works on a similar set of protocols - the GARP and GVRP. Moreover, the VTP version 3 removes some of the deficiences of its predecessors and also has other nice features likes synchronizing the MST VLAN-to-instance mappings which is also a useful thing.

Best regards,

Peter

Hi Peter,

AFAIK, no other vendor is using native VLAN. So it was invented by Cisco, I think.

Regarding VTP:

I agree it's a nice idea.

But the VTP1 and 2 implementation was so immature and unsecure!

The "VTP bomb" possibility you mentions is awkward :-(

Let's hope IEEE will bring some useful standard.

BR,

Milan