cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
396
Views
0
Helpful
6
Replies

Native VLAN question

pfrancis3
Level 1
Level 1

Hello, I understand best practice is to assign a dummy, unused VLAN as the native VLAN on a new switch setup. However, at my workplace I have noticed that the management VLAN is being used as the native e.g. the native VLAN has been changed from VLAN 1 to VLAN 50 (our existing management VLAN).

Is this bad practice i.e. is this not exposing the management traffic to potential VLAN hopping attacks ? This management VLAN is a live VLAN that we use to reach all of our devices.

Have any of you ever seen the management VLAN being used as the native VLAN ?

Thanks for any advice.

6 Replies 6

Reza Sharifi
Hall of Fame
Hall of Fame

Hi,

Yes, it is not uncommon to use the native vlan as the management vlan, but best practice is not to use vlan1 as the native vlan.  Use can simply use a different vlan as the native, management vlan.

HTH

Thanks Reza, what I meant was that the native VLAN has been changed from VLAN 1 to VLAN 50 (which is our management VLAN).

Is this OK, or if not, why is it a bad idea ?

Thanks kindly.

Hi,

Yes, changing it from 1 to 50 is a good idea and best practice.

HTH 

Thanks, but would it not be better to change it from the default native VLAN 1 to a dummy VLAN rather than to a working, live VLAN such as our mangement VLAN ?

If it would be better, then for what reasons ?

Thanks kindly.

If you need to use the native vlan, its best practice to use any other vlan but 1.

Its also best practice to shut down the SVI for vlan1 and take all unused ports out of vlan1 and put them in a dummy vlan that is not route able (example 999).

HTH

Tausif Gaddi
Level 1
Level 1

The use of a native VLAN is generally frowned upon now as there are some well known security exploits that leverage this untagged VLAN. Cisco often recommends setting the Native VLAN to an unused VLAN in your infrastructure in order to render it useless for attacks.

It is also recommended that you create a separate VLAN for your Management traffic and that this VLAN be tagged (therefore not a Native VLAN).

Management vlan is different, it means that this vlan will be used for management purposes like Logging into the switch for management, Monitoring the switch,collecting Syslog ans SNMP traps, etc will be done by management vlan IP. This also by default vlan 1 in cisco. So as Antony said the it is always a Best practice and security measure to not use the default vlan and use custom vlans

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco