02-26-2021 06:08 AM
Hello everyone
I would like a clarification on the native vlan.By default a vlan is used, for example 99 as a native vlan without assigning any access port to avoid double tagging attacks.What is not clear to me is:
1) Why do I have to set as a native vlan a number that makes no sense like 99 or 44?Can I also set number 2 ?
2) I know it takes more work, but can I leave the native vlan 1 and delete the ports from vlan 1 by disabling it?Can there be security issues? I repeat Vlan 1 with no access port I move them all to other vlan.
I thank those who respond in advance
Solved! Go to Solution.
02-26-2021 02:05 PM - edited 02-26-2021 02:07 PM
On Catalyst switches you never really disable vlan 1.
Even if you have no access ports in it, you change the native vlan and you make sure it is not allowed on any trunk links, still there is certain traffic in vlan 1 such as control protocols etc.
That is the problem with vlan 1, it is the default vlan, the vlan that is the native vlan unless you change it and it is used by Cisco for protocols such as STP, VTP etc.
So you should not make any use of it if you can help it.
Jon
02-27-2021 05:31 AM
There is two attack for switch spoofing,
first which is explain before "double tag"
the attack connect to Access port of SW
Second is VLAN Hopping<- this new
Why VLAN1 native must change ???
the attack connect to Trunk port, DTP is enable, the SW will make port trunk and native VLAN 1 "Here as you suggest only trunk have native VLAN1, no other ports for vlan1".
What if we change the native VLAN from VLAN1 to NO predict VLAN "for example 99"
the SW never make port as trunk since the native VLAN is mismatch and hence we prevent the attacker from form trunk with SW and attack all vlan allowed in trunk.
Note:- Cisco recommend to disable DTP and enable trunk only on port you want to be trunk "trust port" and also change native VLAN1.
02-26-2021 06:16 AM - edited 02-26-2021 06:17 AM
The Native VLAN is simply the one VLAN which traverses a Trunk port without a VLAN tag.
1) Why do I have to set as a native vlan a number that makes no sense like 99 or 44?Can I also set number 2 ?
You can use any VLAN ( by default VLAN1)
2) I know it takes more work, but can I leave the native vlan 1 and delete the ports from vlan 1 by disabling it?Can there be security issues? I repeat Vlan 1 with no access port I move them all to other vlan.
Cisco suggest do not use default vlan 1 for security reason.,
02-26-2021 06:49 AM
You can use the Vlan you want as native, ´for security reasons it is not recommended to use vlan 1 since most attacks occur through this vlan since it is configured by default.
The recommendation is that you use the Native Vlan that you define in your design, this vlan will only pass without tagging in the trunk communication
remember to give the star with this you contribute in the community
02-26-2021 02:05 PM - edited 02-26-2021 02:07 PM
On Catalyst switches you never really disable vlan 1.
Even if you have no access ports in it, you change the native vlan and you make sure it is not allowed on any trunk links, still there is certain traffic in vlan 1 such as control protocols etc.
That is the problem with vlan 1, it is the default vlan, the vlan that is the native vlan unless you change it and it is used by Cisco for protocols such as STP, VTP etc.
So you should not make any use of it if you can help it.
Jon
02-27-2021 04:24 AM
So if I disable all Port It Will remain Always default for other traffic as stp or vtp. But if I Will change native VLAN in VLAN2 without 99 It Is good. VLAN99 or 44 are used so for convenience only.
02-27-2021 07:23 AM
Yes it will still be used for certain traffic ie. some control protocols.
You can use any number you want for native vlan, it makes no difference which number you use.
Jon
02-26-2021 05:12 PM - edited 02-27-2021 05:10 AM
...
02-27-2021 12:29 AM
It Is clear that changing native VLAN hacker cannot Attack. What Is not clear i why VLAN 1. I could set VLAN1 as VLAN native on trunk but simultaneously I move all ports in other vlans removing all access Port F01 f02 etc..... So In this case:
TRUNK LINK: VLAN 1 NATIVE VLAN
VLAN1: NO ACCESS PORT
VLAN 2: PORTS FOR F01 TO F12
VLAN3: PORTS FOR F13 TO F24
In this case how spese the hacker do the Attack?
We suppose that hacker Is located and connect Port fa0/8 of the VLAN 2 and wanted attaché VLAN3.
He should add both VLAN2 AND VLAN3 in the frame ethernet
On trunk Is VLAN1 native.
When switch 1 (where Is connect hacker) see the frame, It see First tag so VLAN2 and not VLAN3.
I might be wrong ( correct me of I'm wrong) but hacker Is limited to comunicate VLAN 2 only.
I could think only best practice change VLAN1 in VLAN99 because VLAN1 Is default (as all you said), and then if there are free ports on switch with VLAN1 native, un attacker connect One Port and Attack
Correct me of I wrong
02-27-2021 05:24 AM
Double Tag Attack,
you admin and you are separate the Server from the Host by using VLAN,
VLAN 100 for Server
VLAN 1 for Host
the attacker which can access to VLAN 1 easily BUT to access to Server it must pass through Router L3 or FW... Here the attacker couldn't attack Server.
So attacker use the limitation of SW to see only one tag of VLAN.
How attacker Work ?
SW1-SW2 in-between there is trunk with VLAN 1 as native,
attacker connect to SW1,
attacker send double tag packet
outer is native VLAN "VLAN1"
inner is VLAN 100 "VLAN 100 for Server ??"
SW1 receive this packet It see Native VLAN 1 it will flood to all port include trunk between the two SW,
SW1 will remove the outer tag "VLAN1 " and here is limitation of SW" and flood it through trunk
SW2 receive the frame with inner tag VLAN 100!!!
SW2 will flood it through all port of VLAN 100 include the port for Server
here the attacker can attack the Server even if it not in same VLAN, i.e. it pass R/FW.
after ALL
do you see how the attacker is start attack?
by native VLAN, if we can broke this series by change native VLAN with value not predict by attacker what will happened?
let see again but this time we change the native VLAN from VLAN 1 to VLAN 99 "as your example"
attacker connect to SW1,
attacker send double tag packet
outer is native VLAN "VLAN1"
inner is VLAN 100 "VLAN 100 for Server ??"
SW1 receive this packet It see OUTER VLAN 1 it will flood to all port NOT include trunk between the two SW,
WoW and attacker stop here..
So that is why we change the native VLAN to not predict VLAN.
and this is why make default native VLAN 1 without ports.
UPDATE REPLY.
02-27-2021 05:31 AM
There is two attack for switch spoofing,
first which is explain before "double tag"
the attack connect to Access port of SW
Second is VLAN Hopping<- this new
Why VLAN1 native must change ???
the attack connect to Trunk port, DTP is enable, the SW will make port trunk and native VLAN 1 "Here as you suggest only trunk have native VLAN1, no other ports for vlan1".
What if we change the native VLAN from VLAN1 to NO predict VLAN "for example 99"
the SW never make port as trunk since the native VLAN is mismatch and hence we prevent the attacker from form trunk with SW and attack all vlan allowed in trunk.
Note:- Cisco recommend to disable DTP and enable trunk only on port you want to be trunk "trust port" and also change native VLAN1.
02-28-2021 12:48 AM - edited 02-28-2021 12:50 AM
Ok let's see if I understand. Only if DTP is enabled on a switch A (default is enabled), an attacker can also connect with his pc makes switch A believe that his PC is a switch B and since by default the dtp service enables the vlan as native vlan 1, the attacker automatically makes a vlan hopping attack. Then the problem would be solved by disabling the DTP service and setting the trunk manually. But maybe since a company would like to adopt a solution with DTP for convenience, it is always useful to set a different native vlan which can also be vlan 2 but since usually vlan 2-3-4 etc are used for convenience it is used as native vlan a vlan example 99 or 120 that is it doesn't make sense.Correct?
02-28-2021 01:26 AM
That is (I know that in reality it will never happen but it is to better understand) if I have switch A and switch B on both switches I disable the DTP, I move all the ports from VLAN1 to VLAN 2 - 3 - 4 for example I leave on the trunk switch A and switch B vlan native VLAN 1, would you attacker be able to do a hopping and double tagging? There is no auto-negotiation between A and B, the ports have not been assigned to VLAN 1 at this point unless there is another service that would allow an attacker to make another type of attack, I don't see how it can succeed to make an attack with a VLAN 1 as native. Obviously mine is a consideration based on theoretical concepts if I miss something correct me
02-28-2021 04:41 AM
OK, how many native VLAN in SW ?
there is only one, so when you config native VLAN 1 between two SW, that meaning that both SW use native VLAN 1 for all trunk port.
attacker as I explain above will form trunk to one of SW, using DTP and native VLAN 1, the victim SW will make port trunk with attacker "SW don't know this is attacker or other SW".
this make Attacker now allow to use all VLAN, and hence VLAN hopping happened.
02-28-2021 07:45 AM
So
VLAN1: all Port moved for example VLAN2
DTP: Disable
Native VLAN : VLAN1
If hacker not find access Port in VLAN 1 and sto Disable hacker can still Attack
02-28-2021 08:31 AM
sorry what is sto ?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide