02-20-2016 07:24 AM - edited 03-08-2019 04:39 AM
I would like to confirm the security implications of VLAN 1 if I propose the following changes in a client design using Cisco SG series L3 switches.
VLAN1: user traffic flows (tagged)
VLAN x: management
VLAN99: native vlan
VLAN100: default vlan (all unused ports get dumped into this vlan and shut down)
Since the native vlan is set to 99 (INSTEAD of vlan1), coupled with the fact that all ports default to vlan 100, then user traffic flows will be TAGGED as VLAN1. Since VLAN1 is now tagged, it ?SHOULD? eliminate the security risks that exist when using VLAN1 as both the native and default VLAN.
Is that reasonable logic ? I don't really want to move my user traffic flows off of VLAN1 as it aligns nicely with a subnet scheme we derived - thus the motivation to just change the default and native VLANs. is this a reasonable practice ?
/wh
02-20-2016 01:12 PM
Vlan1 should never be used for user traffic. Another word, no access port should be in vlan1
Also, as best security practice you should always shut down the SVI for vlan1
HTH
02-20-2016 04:18 PM
But if VLAN one is tagged and the native and default VLANs are completely different. How is VLAN1 (tagged) any different than VLAN2-4094 ? what am I missing? I am looking for technical reasons at this point.
02-21-2016 05:22 AM
Disclaimer
The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.
Liability Disclaimer
In no event shall Author be liable for any damages wha2tsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.
Posting
VLAN 1 has special uses within Cisco switches, which you cannot often directly control.
Although VLAN 1, by default, is often "native", don't confuse tagging, or not, VLAN 1 to what else VLAN 1 does.
02-21-2016 05:40 AM
OK. So what i am hearing is that even if VLAN1 is not the native VLAN on a trunk link, there are still differences between VLAN1 and other tagged VLANs. Fair enough.
Are you able to list a couple of these special uses of VLAN 1 ? and what security exploits make it more vulnerable than say VLAN 2 (tagged) ? I would like to be able to technically defend the justification to move off of VLAN1 (in the scenario provided above).
Thank you,
/wh
02-21-2016 04:50 PM
Disclaimer
The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.
Liability Disclaimer
In no event shall Author be liable for any damages wha2tsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.
Posting
Laugh - student exercise - try searching Cisco's main site - looking for VLAN 1 references and usage warnings - especially security recommendations.
PS:
BTW, if I had any reference links handy, I would provide them, but what I just recommended is what I would need to do to provide them. ;)
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide