Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

Native VLAN vulnerability

I have been asked by a customer about the vulnerability described at http://online.securityfocus.com/archive/1/26008

What is the best way to set the native vlan on the trunk port? switchport trunk native vlan n seems too easy! Switches are varied but all IOS.

5 REPLIES
New Member

Re: Native VLAN vulnerability

should just be

switchport access vlan xxx

-Bo

Re: Native VLAN vulnerability

Thatnks - had seen that as well and was thinking of that first then I saw the native VLAN command...

Re: Native VLAN vulnerability

You can also go to the networkers presentation and download SEC-202 for more info:

http://www.cisco.com/networkers/nw02/post/presentations/pres_security.html

It goes over the vulnerabilities and some of the defenses (eg port security/private vlans/disable unused ports/change native vlan of trunks to non-users vlan/set trunking to off on end-user ports/don't use vlan 1/bpdu guards/passwords for vtp/etc)

Hope it helps.

Steve

Re: Native VLAN vulnerability

Looks interesting - thanks.

New Member

Re: Native VLAN vulnerability

Unless you specifically *need* the native (default) VLAN functionality,

I would strongly recommend "vlan dot1q tag native", which means

that *all* VLANs are tagged, including the native VLAN. I also read

somewhere on CCO that it causes untagged packets entering a

trunk port to be discarded, which is a good thing.

"vlan dot1q tag native" is available in newer versions of 3550 and

6500 IOS code.

303
Views
0
Helpful
5
Replies