Native VLAN vulnerability

paul.matthews · ‎01-22-2003

I have been asked by a customer about the vulnerability described at http://online.securityfocus.com/archive/1/26008

What is the best way to set the native vlan on the trunk port? switchport trunk native vlan n seems too easy! Switches are varied but all IOS.

7rbowenii · ‎01-22-2003

should just be

switchport access vlan xxx

-Bo

paul.matthews · ‎01-22-2003

Thatnks - had seen that as well and was thinking of that first then I saw the native VLAN command...

steve.barlow · ‎01-22-2003

You can also go to the networkers presentation and download SEC-202 for more info:

http://www.cisco.com/networkers/nw02/post/presentations/pres_security.html

It goes over the vulnerabilities and some of the defenses (eg port security/private vlans/disable unused ports/change native vlan of trunks to non-users vlan/set trunking to off on end-user ports/don't use vlan 1/bpdu guards/passwords for vtp/etc)

Hope it helps.

Steve

paul.matthews · ‎01-22-2003

Looks interesting - thanks.

steinar.haug · ‎01-26-2003

Unless you specifically *need* the native (default) VLAN functionality,

I would strongly recommend "vlan dot1q tag native", which means

that *all* VLANs are tagged, including the native VLAN. I also read

somewhere on CCO that it causes untagged packets entering a

trunk port to be discarded, which is a good thing.

"vlan dot1q tag native" is available in newer versions of 3550 and

6500 IOS code.