Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1052
Views
0
Helpful
7
Replies

mgmt vlan as native vlan, good design?

rhopkins_nci
Level 1
Level 1

‎01-20-2008 10:43 AM - edited ‎03-05-2019 08:35 PM

Ok, Ive been reading that vlan 1 is a security issue and you should not use it. So Im moving all my switchports to another vlan. Im also going to use vlan 14 for my network and system infrastructure devices, ie switches, ap's, servers, and printers. In order to manage my switches and ap's I have to set the native vlan as 14, for the mgmt ip. Is this a security concern? The way I read, untagged traffic flows on the native vlan, couldnt a hacker craft a packet then or vlan hop? If so, how would I keep my switches and ap's in a secure vlan for mgmt, since they use the native for the mgmt ip? Just to add, I have my users split on other vlans and only allow certain vlans on the trunks. Thanks for any comments.

Labels:
0 Helpful
7 Replies 7

glen.grant
VIP Alumni
VIP Alumni

‎01-20-2008 01:36 PM

I don't see it as a problem . If you are worried about it then add acl's on your vty lines and possibly consider useing SSH instead of telnet for added security .

0 Helpful

m.mcconnell
Level 1
Level 1

‎01-20-2008 06:48 PM

Switches and APs do not use the native VLAN for the management VLAN and the management VLAN can be any VLAN. In fact, it is not good design practice to have the management VLAN the same as the native VLAN. Also, I always recommend leaving the native VLAN at default (VLAN 1) and then use another VLAN(s) for device management.

-Mark

0 Helpful

rhopkins_nci
Level 1
Level 1
In response to m.mcconnell

‎01-20-2008 07:40 PM

Good points. But for some reason, I may be missing something here, when I set the ip on my aironet 1200s, that particular vlan has to be set as native on both ends. Is this correct, if not, what am I doing wrong. I have vlan 10 (open) - 10.10.10.0, vlan 12 (closed)- 10.10.12.0, vlan 14 (mgmt) - 10.10.14.0. Like I say, and I may be wrong, which ever vlan I set as native, the ap ip has to be in that subnet and vlan. Thanks again.

0 Helpful

srue
Level 7
Level 7
In response to rhopkins_nci

‎01-20-2008 08:16 PM

"Switches and APs do not use the native VLAN for the management VLAN"...?

0 Helpful

glen.grant
VIP Alumni
VIP Alumni
In response to rhopkins_nci

‎01-21-2008 05:56 AM

If your ap's have to be set in the native vlan then your switch and ap setup must be set to trunk multiple vlans down to the ap's . The native vlan is only relavent in a trunking scenario in which case yes the native vlan must match on both ends on the link to work correctly.

0 Helpful

Konstantin Dunaev
Level 4
Level 4
In response to m.mcconnell

‎01-21-2008 01:11 AM

Hi,

but the latest cisco's Best Practice recomends to remove the VLAN1 from all trunks and not to use VLAN1 as the native vlan,

for native VLANs should be used some "unused" VLAN.

0 Helpful

rhopkins_nci
Level 1
Level 1

‎01-21-2008 06:16 PM

Well I messed around, and could not get my aironets mgmt ip on a separate vlan than the native. Well I could on the aironet side, but when I change the native vlan on the catalyst 4503 trunk to match I lost connection.

ie. aironet ip setup vlan 14 10.10.14.4 w vlan 2 set as native, catalyst port native 14 - I could still access the aironet but when changed to native 2 on the catalyst port I would lose connection. Also, all vlans were allowed. This doesnt make any sense does it?

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card