Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 
cancel
Start a conversation
3102
Views
0
Helpful
3
Replies

dummy or management native VLAN

Go to solution
tedauction
Level 1
Level 1

ā€Ž01-26-2017 01:02 PM - edited ā€Ž03-08-2019 09:04 AM

Hello, I notice on some switches that the management VLAN is used as the native VLAN.

Would it not be better to create a dummy VLAN to be the native VLAN ?

My thinking is that if the mangement VLAN is used as the native, then it :

i) can cause problems when communicating outbound across a trunk unless the next hop switch also has the same mgmt vlan configured as native
ii) exposes a live VLAN (management) to potential VLAN hopping attacks.
Does anyone agree with this  or have any comments ?
Thank you.
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Georg Pauwen
VIP
VIP

ā€Ž01-26-2017 02:12 PM

Hello,

the VLAN hopping attack argument is definitely a valid one. In addition, management traffic is essentially user traffic. Since the native Vlan is used for untagged inter-switch link traffic, any user traffic should be separated anyway (although the chance that management traffic actually leads to congestion and frame drops is probably remote at best).

Either way, not using Vlan 1 at all (neither for management nor for untagged traffic) is good practice. The reality however is that most companies (at least the ones I worked for) keep using Vlan 1 for both, at the same time...

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Georg Pauwen
VIP
VIP

ā€Ž01-26-2017 02:12 PM

Hello,

the VLAN hopping attack argument is definitely a valid one. In addition, management traffic is essentially user traffic. Since the native Vlan is used for untagged inter-switch link traffic, any user traffic should be separated anyway (although the chance that management traffic actually leads to congestion and frame drops is probably remote at best).

Either way, not using Vlan 1 at all (neither for management nor for untagged traffic) is good practice. The reality however is that most companies (at least the ones I worked for) keep using Vlan 1 for both, at the same time...

0 Helpful

Go to solution
Reza Sharifi
Hall of Fame
Hall of Fame

ā€Ž01-26-2017 02:28 PM

Its usually best security practice not to use vlan1.  Most companies change it to a different vlan and use it as native or not. It is also good practice not to expose the native vlan to outside sine it is used for management.

HTH

0 Helpful

Go to solution
paul driver
VIP
VIP

ā€Ž01-26-2017 02:49 PM

Hello

As stated - Best practice is to not use vlan 1, in fact you cannot delete vlan1 but you can remove it from trunk interfaces and you can disable it at both l2/l3 

Lastly you can create a dummy vlan as your native vlan for l2 control traffic such has stp/cdp/vtp etc and specify this over your trunks

int vlan 1
shut

vlan 1
suspend

vlan 999
name dummy

res
Paul



Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the communityā€™s global network.

Kind Regards
Paul
0 Helpful
Customers Also Viewed These Support Documents