PCs in Native VLAN is only a security concern if switch's management IP is in Native VLAN as well?

sistematico_17 · ‎04-19-2017

Please correct me if I am wrong, but I've been thinking about it and I think having PCs in the native VLAN it's only a security issue when the switch's management IP is on the native VLAN as well.

If you disagree, can you please explain why else would leaving PCs on the native VLAN be a security issue?

Following my logic, as long as we configure the switch's management IP to be on a VLAN other than the native, there shouldn't be any security issue related to leaving PCs in the native VLAN.

Please help me understand. Thanks

Dennis Mink · ‎04-19-2017

Please correct me if I am wrong, but I've been thinking about it and I think having PCs in the native VLAN it's only a security issue when the switch's management IP is on the native VLAN as well.

these two dont have to be mutually inclusive.

Best practice is, if you doing have a valid reason to use the native vlan (and there seldom are any), stick the native vlan in an unused vlan say 999 and dont assign it to any ports.

your PC's could be in any VLAN as they dont require a native vlan, you could have your management IP in the same VLAN as your PC, and put an telnet/ssh access list on the vty line to limit access.

of course its probably best to stick management in a separate vlan all together.

Please rate if useful

Please remember to rate useful posts, by clicking on the stars below.