Solved: Native Vlan - Double tagging attack - Page 2

PietroPoliseno27977 · ‎02-26-2021

Hello everyone

I would like a clarification on the native vlan.By default a vlan is used, for example 99 as a native vlan without assigning any access port to avoid double tagging attacks.What is not clear to me is:

1) Why do I have to set as a native vlan a number that makes no sense like 99 or 44?Can I also set number 2 ?

2) I know it takes more work, but can I leave the native vlan 1 and delete the ports from vlan 1 by disabling it?Can there be security issues? I repeat Vlan 1 with no access port I move them all to other vlan.

I thank those who respond in advance

PietroPoliseno27977 · ‎02-28-2021

Excuse me DTP however I read newly other comments. VLAN 1 no access Port and dtp Disable Is under Attack yet because stp use bpdu frame on VLAN1 default also if Logic vtp hopping and double tagging Say that the Attack Is good if the attacker Is connect ti the Port assigned ti native VLAN, but if I move all Port from VLAN1 in VLAN 2, frames bpdu Will through on VLAN 1 yet.

MHM Cisco World · ‎02-28-2021

I ask my self same Q when I study VLAN security then I end with
1- using VLAN1 as Native VLAN
2- using other VLAN as Native VLAN

still the L2 protocol use VLAN1 as tag vlan when send through trunk
BUT
it tag if the VLAN 1 is not native
it not tag if the VLAN1 is native

https://www.fragmentationneeded.net/2011/01/revisiting-vlan-1-myth-again.html

so change the native VLAN not make other L2 protocol not use VLAN1.