Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

SG300 native/default vlan security

Hello,

I wanted to ask some advice on a concept that has bothered me for a while.

I have been deploying cisco SG300 series switches in our network infrastructures that we build out for a while now, but i would like to make some adjustments in regards to security.  Here is the general idea of our existing network layouts:

 

Core switch:

Management VLAN: 1
1 trunk port going to our router
   -native VLAN 1
   -tagged vlans 999-1500
trunk ports going to other switches in the network
   -native VLAN 1
   -tagged vlans 999-1500

Edge switches:

Management VLAN 1
1 trunk port going back to core switch
   -native VLAN 1
   -tagged vlans 999-1500
Remainder of ports are trunk ports which connect wireless access points
   -native VLAN 1
   -tagged vlans 999-1500
   -wireless users may be on any VLAN between 999-1500 (assigned dynamically by radius server)

 

My goal is to tighten up security in order to prevent VLAN hopping.

I am thinking of the following changes specifically:

-change switch management VLAN to 99
-change access point ports to have native VLAN of 99
-change interswitch uplink ports native VLAN to something else (10)

 

My questions are:

Should I change the switch management VLAN to 10 instead?  or 99?
Will this prevent VLAN hopping as intended?
Should i configuring the ports to send default-vlan traffic as tagged instead of untagged (switchport default-vlan tagged)?
Am I misunderstanding something?

 

thanks in advance for any help/suggestions!

1 REPLY
Community Member

Could someone let me know if

Could someone let me know if the following configurations adhere to the best practices and prevent vlan hopping attacks, or if I'm missing something crucial?  

 

CORE SWITCH

vlan database
vlan 99,999-1500
exit
!
interface vlan 99
 ip address 192.168.5.6 255.255.255.0
 no ip address dhcp
!
interface gigabitethernet27
 description "uplink to edge switch"
 switchport trunk allowed vlan add 99,999-1500
 switchport trunk default-vlan tagged

!
interface gigabitethernet28
 description "uplink to router"
 switchport trunk allowed vlan add 99,999-1500
 switchport trunk default-vlan tagged
!

 

 

EDGE SWITCH

vlan database
vlan 99,999-1500
exit
!
interface vlan 99
 ip address 192.168.5.7 255.255.255.0
 no ip address dhcp
!
interface gigabitethernet1
 description "AP port"
 switchport trunk allowed vlan add 999-1500
 switchport trunk native vlan 99
 switchport trunk default-vlan tagged
!
interface gigabitethernet10
 description "uplink to core switch"
 switchport trunk allowed vlan add 99,999-1500
 switchport trunk default-vlan tagged

289
Views
0
Helpful
1
Replies
CreatePlease to create content