I wanted to ask some advice on a concept that has bothered me for a while.
I have been deploying cisco SG300 series switches in our network infrastructures that we build out for a while now, but i would like to make some adjustments in regards to security. Here is the general idea of our existing network layouts:
Management VLAN: 1 1 trunk port going to our router -native VLAN 1 -tagged vlans 999-1500 trunk ports going to other switches in the network -native VLAN 1 -tagged vlans 999-1500
Management VLAN 1 1 trunk port going back to core switch -native VLAN 1 -tagged vlans 999-1500 Remainder of ports are trunk ports which connect wireless access points -native VLAN 1 -tagged vlans 999-1500 -wireless users may be on any VLAN between 999-1500 (assigned dynamically by radius server)
My goal is to tighten up security in order to prevent VLAN hopping.
I am thinking of the following changes specifically:
-change switch management VLAN to 99 -change access point ports to have native VLAN of 99 -change interswitch uplink ports native VLAN to something else (10)
My questions are:
Should I change the switch management VLAN to 10 instead? or 99? Will this prevent VLAN hopping as intended? Should i configuring the ports to send default-vlan traffic as tagged instead of untagged (switchport default-vlan tagged)? Am I misunderstanding something?
Sx550X, Sx350X, Sx250: PSE will Supply Power to Catalyst PSE Ports
May 31, 2016
June 5, 2017
Configure Remote Network Monitoring (RMON) Events Control Settings on a Switch through the Command Line Interface (CLI)
Remote Network Monitoring (RMON) was developed by the Internet Engineering Task Force (IETF) to support...