Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
22183
Views
6
Helpful
4
Replies

Native VLAN and the "Black Hole"

Go to solution
snared04drummer
Level 1
Level 1

‎01-05-2015 07:34 AM - edited ‎03-07-2019 10:05 PM

While reviewing the configuration of a network that I'm supporting, it seems that the original design of the network has the black hole VLAN as the native VLAN.  At the least this seems incorrect, and possibly very dangerous, but I'm not exactly sure why or how to articulate that.  Can someone confirm or deny this suspicion?

In addition, I had two further questions regarding the practice of using a black hole VLAN:

1.  If you have any unused ports, it seems more practical to just admin down these ports instead of creating an unused VLAN.  Is there some added advantage to ALSO putting these ports in an unused VLAN (e.g. 999)?  If the port was needed, you can simply admin up the port, during which time you could also change any needed VLAN configurations.  In other words, you'd have to log into the device and make changes whether you went with the admin down method, the Black Hole VLAN method, or both.  So what's the point?

2. Assuming you do use the Black Hole VLAN as an added security method, I feel that including that VLAN in the "switchport trunk allowed vlan" command is counterproductive, but I'm not fully able to articulate why.  Can someone help me with this?

 

Thanks for any information or suggestions that you may have.

1 person had this problem
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to snared04drummer

‎01-05-2015 09:23 AM

If you -

a) put all your unused ports into the native vlan

and

b) all the ports were up

then you could be open to a vlan hopping attack although I'm not sure whether this is still applicable to all modern switches. See this link for details of how it works (you want the double-tagging section) -

http://www.ciscopress.com/articles/article.asp?p=2181837&seqNum=10

Jon

 

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame

‎01-05-2015 08:40 AM

Assuming you mean a vlan for unused ports when you refer to a black hole vlan. If so the key things are  -

a) that vlan does not have a L3 vlan interface (SVI) for it as there is no need to route it

b) any unused ports are shutdown

if you follow the above then I can't see the danger in using the native vlan but I wouldn't do it regardless of that. I would have a dedicated native vlan and a separate vlan for unused ports.

To  my mind there should be no ports allocated to the native vlan (other than trunk ports obviously).

The benefit of using a dedicated vlan for unused ports is -

a)  it provides an additional level of security. People make mistakes and having to do multiple things to enable a port requires more attention than simply doing a "no shut" on the interface.

The more attention someone is paying the more likely they will get it right or at least the less likely they will make a mistake.

b) if you don't use an unused vlan you are leaving all the ports in the default vlan which is vlan 1 and this should be avoided as this vlan is overused already eg. switch control plane traffic is sent on this vlan for example and often the switch management interfaces are in this vlan.

As far as allowing the unused vlan on trunk links it is totally unnecessary and in fact you really don't want to do that. The idea of the unused vlan is for non communication so it would make no sense to allow it on trunk links.

In my last place of work we used vlan 998 as the unused vlan and vlan 999 as the native vlan.

Neither had an SVI for it.

If by black hole vlan you meant something else then please clarify.

Jon

 

Go to solution
snared04drummer
Level 1
Level 1
In response to Jon Marshall

‎01-05-2015 08:40 AM

I agree.  In my mind, it seems like poor design to designate the unused (i.e. Black Hole) VLAN as the native VLAN, but when trying to justify a change for a few hundred/thousand devices, I'm unable to articulate the kind of problems that can arise from this.  That's the information I was really looking for, so I'll have something to point to when making this recommendation

0 Helpful

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to snared04drummer

‎01-05-2015 09:23 AM

If you -

a) put all your unused ports into the native vlan

and

b) all the ports were up

then you could be open to a vlan hopping attack although I'm not sure whether this is still applicable to all modern switches. See this link for details of how it works (you want the double-tagging section) -

http://www.ciscopress.com/articles/article.asp?p=2181837&seqNum=10

Jon

 

0 Helpful

Go to solution
snared04drummer
Level 1
Level 1
In response to Jon Marshall

‎01-05-2015 09:33 AM

And there it is.  That's what I was looking for.  Much appreciated.

0 Helpful
Customers Also Viewed These Support Documents