08-02-2012 10:59 AM
I have recently been putting a SG300 through testing, and while the configuration is working, I am now at the stage of making sure everything is secure. At this point I've reached a question I can't quite find the answer to:
Current Setup:
1 Port - Trunk Mode (1UP + Various VLANs Tagged)
Other Ports - Access Mode (Various VLANs Untagged)
The question comes as to how to deal with the Trunk Port. Per Cisco's own "Virtual Lan Security Best Practices", the default/native VLAN should be cleared from all Trunks... unless I am misunderstaing I see no way to accomplish this with the SG300's port in Trunk Mode (it forces 1UP, and admit-all).
The only other options I see as being possible are:
Change Port to General Mode, and switch policy to admit-tagged-only, and leave 1UP on the trunk
-or-
Change Port to General Mode, and remove 1UP (but this forces the system to add 4095P, which per the documentation states it immediately disables all other VLANS?)
Are either of these options valid/usable... or is there a better way to accomplish this?
08-02-2012 12:43 PM
Hi Domain, in a layer 2 environment, the switch IP is not particularly relevant. As long as your computer is on the same network as the switch IP then you can manage it.
If you want to remove VLAN 1, make any other VLAN the default VLAN then leave VLAN 1 as a management VLAN.
-Tom
08-02-2012 03:05 PM
Not sure we are quite on the same page regarding this question:
In Trunk Mode, the switch is requiring a untagged VLAN (native vlan for the trunk) on the interface. Per my understanding (correct me if I'm wrong), the best practices is indicating you generally do not want untagged traffic on your trunks.
Now by default in Trunk Mode, the link is assigned 1UP (PVID 1, Untagged). It seems both the user interface and the cli interface will not allow you to keep a interface in Trunk Mode without having 1 assigned untagged VLAN.
I.E. (default Trunk):
#sh interface switchport GE1
...
Acceptable Frame Type: admitAll
Ingress UnTagged VLAN (NATIVE ): 1
...
I see no way of clearing this native VLAN from the trunk. In General Mode it is possible to specify admitOnlyVlanTagged, which may be accomplishing the same thing however.
It also seems you can also set PVID to 4095 in General Mode.... I assume then that all untagged packets would be discarded. At least from my limited testing it seems you can have something like:
General Mode: 100T, 200T, 300T, 4095P... and contrary to the documentation it does not seem to prevent you from using the Tagged VLANS.
08-02-2012 03:20 PM
Typically the native vlan or PVID is untag on a port. You may set the switchport differently such as;
switchport mode general
switchport general ingress-filter disable
switchport general pvid X
switchport general allowed vlan add x tagged
With this configuration all vlan tag or untag is accepted on the switchport.
The ingress filtering on trunk and access port cannot disable, therefore the switchport setting must match, which making a pvid untagged and any additional vlan tag to the port. Otherwise ingress filter on the ingress port will discard the packet.
You may sculpt traffic any way you wish... The IP address of the switch is simply for management not for network unless running in L3.
-Tom
08-06-2012 12:55 PM
The intent is not to accept any untagged traffic on this switchport at all (the best practices I list above come from Cisco's documentation for the Catalyst line of switches).
The native/pvid is used for control traffic (CDP, STP,...etc.) from my understanding, but the upstream device on this switchport is configured to only expect tagged traffic... I am not entirely sure what it will do with untagged traffic, but I highly suspect it will just drop/filter anything not properly tagged (haven't had time to validate)
I'm not worried about the IP address of the switch, since the management interface is not default/listens on a seperate tagged VLAN. Realistically, the only thing I wanted this switch for was VLAN support (to segement apart various classes of devices) so it will only ever operate in L2... the upstream devices handle everything else.
For now, I have configured this port as follows, and it apears to be doing what I'm trying to accomplish:
switchport mode general
switchport general allowed vlan add 101,102,103 tagged
switchport general acceptable-frame-type tagged-only
switchport general pvid 4095
This may be actually overkill, since it appears once you apply PVID 4095, all untagged traffic gets dropped anyway.
I appreciate your replies on this topic
08-07-2012 01:31 PM
Well, to put an end to this saga:
This really doesn't do what I thought it would, and I proved this out by sticking a BSD machine on the port and sniffing the interface with tcpdump:
switchport mode general
switchport general allowed vlan add 101,102,103 tagged
switchport general acceptable-frame-type tagged-only
switchport general pvid 4095
This really does nothing.. it is the same as leaving the interface in just the default trunk mode with tagged vlans... control traffic is all sent out the interface untagged.
Playing around with this some more, this is more interesting:
switchport mode trunk
switchport trunk allowed vlan add 101,102,103
switchport default-vlan tagged
This changes the interface to Trunk: 1T, 101T, 102T, 103T, 4095P (and makes web interface go goofy if you try to change it). Now control traffic (other then STP) is coming down the VLAN's as tagged.
Oh well.... upstream device will just be configured to drop everything that is untagged and move on
08-31-2012 10:29 AM
I may be a bit late on this one. If you change the native vlan on the trunk to a bogus vlan and then prune it from both ends of the trunk, untagged frames will be isolated to within the trunk. I believe this to be a Cisco best practice.
I have never worked with that device, however, the commands should be similar to this (vlan 99 being a bogus or "black-hole vlan):
switchport mode trunk
switchport trunk native vlan 99
switchport trunk allowed vlan 101, 102, 103
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide