01-01-2017 06:16 PM - edited 03-08-2019 08:46 AM
Hello, I understand best practice is to assign a dummy, unused VLAN as the native VLAN on a new switch setup. However, at my workplace I have noticed that the management VLAN is being used as the native e.g. the native VLAN has been changed from VLAN 1 to VLAN 50 (our existing management VLAN).
Is this bad practice i.e. is this not exposing the management traffic to potential VLAN hopping attacks ? This management VLAN is a live VLAN that we use to reach all of our devices.
Have any of you ever seen the management VLAN being used as the native VLAN ?
Thanks for any advice.
01-01-2017 06:41 PM
Yes, it is not uncommon to use the native vlan as the management vlan, but best practice is not to use vlan1 as the native vlan. Use can simply use a different vlan as the native, management vlan.
01-01-2017 06:48 PM
Thanks Reza, what I meant was that the native VLAN has been changed from VLAN 1 to VLAN 50 (which is our management VLAN).
Is this OK, or if not, why is it a bad idea ?
01-01-2017 06:55 PM
Yes, changing it from 1 to 50 is a good idea and best practice.
01-01-2017 07:41 PM
Thanks, but would it not be better to change it from the default native VLAN 1 to a dummy VLAN rather than to a working, live VLAN such as our mangement VLAN ?
If it would be better, then for what reasons ?
01-01-2017 08:22 PM
If you need to use the native vlan, its best practice to use any other vlan but 1.
Its also best practice to shut down the SVI for vlan1 and take all unused ports out of vlan1 and put them in a dummy vlan that is not route able (example 999).
01-18-2017 12:55 AM
The use of a native VLAN is generally frowned upon now as there are some well known security exploits that leverage this untagged VLAN. Cisco often recommends setting the Native VLAN to an unused VLAN in your infrastructure in order to render it useless for attacks.
It is also recommended that you create a separate VLAN for your Management traffic and that this VLAN be tagged (therefore not a Native VLAN).
Management vlan is different, it means that this vlan will be used for management purposes like Logging into the switch for management, Monitoring the switch,collecting Syslog ans SNMP traps, etc will be done by management vlan IP. This also by default vlan 1 in cisco. So as Antony said the it is always a Best practice and security measure to not use the default vlan and use custom vlans
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: