Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1298
Views
5
Helpful
4
Replies

Change the native VLAN for security. Why?

richa58
Level 1
Level 1

‎12-28-2022 06:03 AM

I have been told that by default, the native vlan on cisco switches is 1. I have also been told it's recommended to change the native VLAN # from 1 to something else.

Why exactly is that? I am guessing here that if you change the native VLAN from 1 to something else, then all ports on the switch would be tagged since the ports are set to use 1 as the native VLAN. Since 1 is no longer the native vlan those ports will be tagged which will make double tagging less likely to work.

Can anyone shed some light on this?

192.168.0.1 router login 192.168.l.l
Labels:
4 Replies 4

MHM Cisco World
VIP
VIP

‎12-28-2022 06:32 AM

you ask huge Q, so I will answer one by one, 
if I change the native VLAN then all port will be assign to new native VLAN ?? NO, by default all port assign to VLAN1, if VLAN1 is native VLAN then all port assign to native VLAN1 if the VLAN1 is not native VLAN then all port assign to VLAN1 only. 

0 Helpful

marce1000
VIP
VIP

‎12-28-2022 07:05 AM

 

                           > I have also been told it's recommended to change the native VLAN 
  Then that recommendation is wrong , but you may have misunderstood :  native VLAN is a special VLAN whose traffic traverses on the 802.1Q trunk without any VLAN tag 'only'.  You probably refer to not u not vlan1 for user ports ,which could be better indeed in terms of having well-defined subnets and subsequent a more easy design of Intranet firewall policies (e.g.)

 M.



-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
    When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '
0 Helpful

MHM Cisco World
VIP
VIP
In response to marce1000

‎12-28-2022 07:09 AM

@marce1000 I think he is right, the best for L2 security is change the native vlan from vlan1 to other VLAN and do not assign any port to that native VLAN. 

0 Helpful

Georg Pauwen
VIP
VIP

‎12-28-2022 10:53 AM - edited ‎12-28-2022 10:53 AM

Hello,

in addition to the other posts, the main reason for changing the native Vlan to something else than the default (1) used to be that it is more difficult (and hence more secure) to connect another trunking device (such as a rogue switch) to the network if the native Vlan is unknown.

Keep in mind that, ideally, you should have three types of Vlans, and they should all be different:

- User (access) Vlans that carry only user traffic
- Management Vlans (for administrative access, this should also not be Vlan 1)
- Native Vlans (for DTP/VTP/CDP/BPDU)

 

 

0 Helpful
Customers Also Viewed These Support Documents

Review Cisco Networking for a $25 gift card