01-22-2003 07:51 AM - edited 03-02-2019 04:25 AM
I have been asked by a customer about the vulnerability described at http://online.securityfocus.com/archive/1/26008
What is the best way to set the native vlan on the trunk port? switchport trunk native vlan n seems too easy! Switches are varied but all IOS.
01-22-2003 08:10 AM
should just be
switchport access vlan xxx
-Bo
01-22-2003 08:13 AM
Thatnks - had seen that as well and was thinking of that first then I saw the native VLAN command...
01-22-2003 08:12 AM
You can also go to the networkers presentation and download SEC-202 for more info:
http://www.cisco.com/networkers/nw02/post/presentations/pres_security.html
It goes over the vulnerabilities and some of the defenses (eg port security/private vlans/disable unused ports/change native vlan of trunks to non-users vlan/set trunking to off on end-user ports/don't use vlan 1/bpdu guards/passwords for vtp/etc)
Hope it helps.
Steve
01-22-2003 08:38 AM
Looks interesting - thanks.
01-26-2003 08:24 AM
Unless you specifically *need* the native (default) VLAN functionality,
I would strongly recommend "vlan dot1q tag native", which means
that *all* VLANs are tagged, including the native VLAN. I also read
somewhere on CCO that it causes untagged packets entering a
trunk port to be discarded, which is a good thing.
"vlan dot1q tag native" is available in newer versions of 3550 and
6500 IOS code.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide