Vlan1 should never be used

Will Hrudey · ‎02-20-2016

I would like to confirm the security implications of VLAN 1 if I propose the following changes in a client design using Cisco SG series L3 switches.

VLAN1: user traffic flows (tagged)

VLAN x: management

VLAN99: native vlan

VLAN100: default vlan (all unused ports get dumped into this vlan and shut down)

Since the native vlan is set to 99 (INSTEAD of vlan1), coupled with the fact that all ports default to vlan 100, then user traffic flows will be TAGGED as VLAN1. Since VLAN1 is now tagged, it ?SHOULD? eliminate the security risks that exist when using VLAN1 as both the native and default VLAN.

Is that reasonable logic ? I don't really want to move my user traffic flows off of VLAN1 as it aligns nicely with a subnet scheme we derived - thus the motivation to just change the default and native VLANs. is this a reasonable practice ?

/wh

Reza Sharifi · ‎02-20-2016

Vlan1 should never be used for user traffic. Another word, no access port should be in vlan1

Also, as best security practice you should always shut down the SVI for vlan1

HTH

Will Hrudey · ‎02-20-2016

But if VLAN one is tagged and the native and default VLANs are completely different. How is VLAN1 (tagged) any different than VLAN2-4094 ? what am I missing? I am looking for technical reasons at this point.

Joseph W. Doherty · ‎02-21-2016

Disclaimer

The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.

Liability Disclaimer

In no event shall Author be liable for any damages wha2tsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.

Posting

VLAN 1 has special uses within Cisco switches, which you cannot often directly control.

Although VLAN 1, by default, is often "native", don't confuse tagging, or not, VLAN 1 to what else VLAN 1 does.

Will Hrudey · ‎02-21-2016

OK. So what i am hearing is that even if VLAN1 is not the native VLAN on a trunk link, there are still differences between VLAN1 and other tagged VLANs. Fair enough.

Are you able to list a couple of these special uses of VLAN 1 ? and what security exploits make it more vulnerable than say VLAN 2 (tagged) ? I would like to be able to technically defend the justification to move off of VLAN1 (in the scenario provided above).

Thank you,

/wh

Joseph W. Doherty · ‎02-21-2016

Disclaimer

The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.

Liability Disclaimer

In no event shall Author be liable for any damages wha2tsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.

Posting

Laugh - student exercise - try searching Cisco's main site - looking for VLAN 1 references and usage warnings - especially security recommendations.

PS:

BTW, if I had any reference links handy, I would provide them, but what I just recommended is what I would need to do to provide them. ;)

Native / Default VLANs - Security Implications