Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

Native VLAN vulnerability

I have been asked by a customer about the vulnerability described at

What is the best way to set the native vlan on the trunk port? switchport trunk native vlan n seems too easy! Switches are varied but all IOS.

New Member

Re: Native VLAN vulnerability

should just be

switchport access vlan xxx


Re: Native VLAN vulnerability

Thatnks - had seen that as well and was thinking of that first then I saw the native VLAN command...

Re: Native VLAN vulnerability

You can also go to the networkers presentation and download SEC-202 for more info:

It goes over the vulnerabilities and some of the defenses (eg port security/private vlans/disable unused ports/change native vlan of trunks to non-users vlan/set trunking to off on end-user ports/don't use vlan 1/bpdu guards/passwords for vtp/etc)

Hope it helps.


Re: Native VLAN vulnerability

Looks interesting - thanks.

New Member

Re: Native VLAN vulnerability

Unless you specifically *need* the native (default) VLAN functionality,

I would strongly recommend "vlan dot1q tag native", which means

that *all* VLANs are tagged, including the native VLAN. I also read

somewhere on CCO that it causes untagged packets entering a

trunk port to be discarded, which is a good thing.

"vlan dot1q tag native" is available in newer versions of 3550 and

6500 IOS code.