topic Re: Native vlan in wireless and security recomendations in Wireless

Native vlan in wireless and security recomendations

rodrigoaantunes — Mon, 04 Aug 2025 15:08:40 GMT

Hello, there is a CISCO recomendation that says the native vlan has to be an unused vlan (a dummy vlan) in order to prevent VLAN hopping attacks.

How to achieve this in a wireless scenario?

I have a virtual wireless controller and a lot of flex connect aps in local swithing mode.

The ap management interface is in vlan 2.

The ap ports on the switches are trunk with native vlan 2. If I change the native vlan to a dummy vlan the aps don't work.

So how can achieve the cisco recomendation? I think is unsecure to allow the management traffic in the native vlan.

Re: Native vlan in wireless and security recomendations

MHM Cisco World — Mon, 04 Aug 2025 15:11:04 GMT

you use wlc 9800 ?

MHM

Re: Native vlan in wireless and security recomendations

Saikat Nandy — Mon, 04 Aug 2025 15:37:00 GMT

VLAN hopping attack refers to the default VLAN - VLAN1. Please have a look - https://learningnetwork.cisco.com/s/blogs/a0D3i000002SKPREA4/vlan1-and-vlan-hopping-attack

Now what you said is correct. You are having flex AP and that's how the switchport config should be. Native vlan from where your APs are getting IP address and in the trunk you should allow rest of the vlan where client traffic should be. There is nothing wrong in this config.

Re: Native vlan in wireless and security recomendations

rodrigoaantunes — Mon, 04 Aug 2025 15:54:17 GMT

No, it is the old virtual wireless controller, version 8.5

Re: Native vlan in wireless and security recomendations

MHM Cisco World — Mon, 04 Aug 2025 16:11:29 GMT

so you use flex AP and AirOS
there is option in WLAN VLAN mapping to set native VLAN AP will use
make sure the native VLAN is matching the AP trunk native vlan

Re: Native vlan in wireless and security recomendations

rodrigoaantunes — Mon, 04 Aug 2025 16:26:32 GMT

But in this way all the management traffic is in the native vlan which is not recommended by cisco.

Re: Native vlan in wireless and security recomendations

Saikat Nandy — Mon, 04 Aug 2025 16:32:39 GMT

The recommendation is not to use VLAN 1 - the default native vlan. Please have a look into the link which talks about how VLAN 1 is related to VLAN hopping attack. In your case, your AP management native vlan is 2.

Re: Native vlan in wireless and security recomendations

rodrigoaantunes — Mon, 04 Aug 2025 16:48:40 GMT

The link says this: "Use a native VLAN on the trunk connection that is not used anywhere else on the switch. "
But this vlan is used for AP management. Shouldn't the ap management be in a tagged vlan?

And AI said this:

Using an active VLAN (like the AP management VLAN) as the native VLAN increases the risk of attacks. An attacker who manages to connect to the trunk port (even if unauthorized) can send untagged traffic and potentially access the native VLAN, which in your case is the AP's management VLAN.

Why Is This a Risk Now?

By configuring VLAN 2 as native on the switch and also including it in the trunk allowed VLAN list (for the AP to function), and knowing that VLAN 2 is used for AP management, you're exposing this management VLAN.

Risk Scenario:

An attacker gains physical access to the network and connects to a port configured as a trunk.
Even if the attacker doesn't know the allowed VLANs or doesn't have access to devices that generate tagged traffic, they can send untagged packets.
These untagged packets will be automatically associated with the native VLAN (VLAN 2) by the switch.
Since VLAN 2 carries the AP management traffic, the attacker can try to exploit vulnerabilities in that network segment to gain access to the AP, WLC, or other management devices.

Re: Native vlan in wireless and security recomendations

rodrigoaantunes — Mon, 04 Aug 2025 16:51:10 GMT

What does the "override vlan on AP" actually does? Why do I need this option?

Re: Native vlan in wireless and security recomendations

MHM Cisco World — Mon, 04 Aug 2025 16:55:14 GMT

NO, only NATIVE VLAN option what you need
other option keep as it defualt

MHM

Re: Native vlan in wireless and security recomendations

rodrigoaantunes — Mon, 04 Aug 2025 16:56:31 GMT

But do you know what that option does?

Re: Native vlan in wireless and security recomendations

MHM Cisco World — Mon, 04 Aug 2025 17:00:07 GMT

First do you see wlan ID and it vlan ID when open this tab?

MHM

Re: Native vlan in wireless and security recomendations

JPavonM — Tue, 05 Aug 2025 07:22:29 GMT

That Cisco recommendation is for trunk ports connecting switches, not for trunk ports on access ports like those for APs or VoIp phones, where the native VLAN use to be used to host the device.

OR, you can use a dummy native VLAN, and setup management VLAN with a tag and configure that under the "WLAN VLAN mapping section", but for that you need to pre-stage the AP so adding more admin tasks.

I would recommend not to use dummy VLANs facing APs or phones.

Re: Native vlan in wireless and security recomendations

rodrigoaantunes — Tue, 05 Aug 2025 14:28:45 GMT

Ok, the ap is in the trunk with native vlan 2, should the vlan2 be in the trunk allowed list?

Re: Native vlan in wireless and security recomendations

MHM Cisco World — Tue, 05 Aug 2025 15:16:20 GMT

I mention before yoh run flex or local' I check your reply you use local so vlan mapping is not work for local.

Forget secuirty concern for a sec' when you change native vlan to any vlan other than vlan 2 the AP is no longer connect to wlc ? Confirm that.

And Yes all vlan include native vlan must allow in trunk

MHM