Native VLANs (securing 802.1q trunks) - Page 2

ajenks · ‎01-18-2010

I was reviewing the document :

http://www.cisco.com/en/US/products/hw/switches/ps708/products_white_paper09186a008013159f.shtml#wp39211

Regarding "Double-Encapsulated 802.1Q/Nested VLAN Attack", where the doument makes the recommendation to "clear the native VLAN from all 802.1Q trunks (alternatively, setting them to 802.1q-all-tagged mode achieves the exact same result). In cases where the native VLAN cannot be cleared, then always pick an unused VLAN as native VLAN of all the trunks; don't use this VLAN for any other purpose."

Looking at a 3750 stack, I have mutiple 802.1q trunks. I cannot see a way to either clear the native VLAN, or the set the "802.1q-all-tagged" mode. I can however, change the native VLAN to one that is not defined (is this the same as "unused" ?).

Switch1(config-if)#switchport trunk native vlan 99
VLAN id 99 not found in current VLAN configuration
VLAN id 99 not found in current VLAN database

Switch1#sh int trun

Port Mode Encapsulation Status Native vlan
Po10 on 802.1q trunking 99

Is this document/concern still valid and is the above a suitable way of dealing with this potential issue ?

Should VLAN 1 actually show any active ports under a "sh vlan" ? I have seen several commentments regarding "Don't use VLAN 1", but does these mean don't use this VLAN or production traffic, or that it should be removed from all ports.

The objective here is to reduce exposure to any type of compromise to VLAN seperation.

Jon Marshall · ‎01-20-2010

Milan / Peter

AFAIK, no other vendor is using native VLAN. So it was invented by Cisco, I think.

That's a really interesting point. The ieee 802.1q standard makes no mention of a "native" vlan as Peter says but it does talk about a default PVID which is vlan 1. So vlan 1 VID is a reserved value in the 802.1q standard. So by default any frame received on a port has PVID of vlan 1. So i guess this is the closest we get to a "native" vlan.

I think "native" is a misleading term altogether. I too am not a fan of the native vlan concept or the confusion it causes. I think "default" is a better word altogether. Using "default" implies that without a tag there is a default to fall to back to ie. vlan 1 but if there is a tag then that will override the default value.

The 802.1q standard also specifies that this default PVID of 1 can indeed be changed to another PVID.

So i think the concept of a "native" or default vlan is specified in the 802.1q standard ie. it is not a Cisco invention.

Jon

Peter Paluch · ‎01-20-2010

Milan, Jon,

Regarding the "native" VLAN support with other vendors - I can confirm that both HP ProCurve and Siemens switches have the concept of a native VLAN. They do not call it this way but when a port is assigned to a VLAN in the configuration of these switches, it is either tagged or untagged. A configuration snippet from a HP ProCurve switch:

vlan 11
   name "StudentVLAN"
   untagged 1-48
   no ip address
   tagged Trk1
   ip igmp
   exit

The ports 1 to 48 are assigned to the VLAN 11 as untagged (i.e. native in Cisco parlance) and the Trk1 (which is the HP name for an EtherChannel) is tagged (i.e. a trunk in Cisco parlance).

Regarding the alternate name for a native VLAN, Jon suggested using the "default" VLAN. That's a pretty nice name, actually. I would personally vouch for "untagged", but the more I think the more I prefer yet another: "deprecated"

Best regards,

Peter

milan.kulik · ‎01-21-2010

Hi Peter,

I've got similar experience with 3Com switches: You can configure a VLAN on a trunk as untagged.

I'm not sure if it's even possible to configure several VLANs as untagged (joining to one effectively).

But the difference with Cisco is: You have to configure one VLAN as a native on Cisco switches. (This is what I call "Cisco native VLAN concept".)

Luckilly, the latest IOS provides the native VLAN tagging feature, but my understanding is this is a global configuration paramater, so you can't tag native VLAN on one trunk and leave untagged on another one.

BR,

Milan