Security Best Practices for 802.1Q Native VLAN

limtohsoon · ‎01-19-2007

Hi Sir,

I'd like to know the security best practices for configuring the Native VLAN on a 802.1Q trunk. I usually leave it at the default VLAN 1, which I don't use for user traffic. Sample config as follows:

!

interface GigabitEthernet0/1

switchport trunk encapsulation dot1q

switchport mode dynamic desirable

!

Please advise.

Thank you.

B.Rgds,

Lim TS

Collin Clark · ‎01-19-2007

We use a null vlan that has no layer 3 so untagged packets can't go anywhere.

switchport trunk native vlan 123

HTH and please rate.

Jon Marshall · ‎01-19-2007

Hi

We do the same as previous poster in that we use a non-routed vlan which is never has any ports assigned to it.

Attached is a link to Cisco Best practice doc for Catlayst IOS switches which has info on native vlan and why vlan 1 should be avoided.

http://www.cisco.com/en/US/products/hw/switches/ps700/products_white_paper09186a00801b49a4.shtml#cg18

HTH

pciaccio · ‎01-19-2007

For best security practices, use a VLAN other then VLAN 1. This way you will have no issues with native VLAN cross bleeding from any other type switch that has VLAN 1 in it. Set your native VLAN to a VLAN that is out of the ordinary and not used for any layer 3 routing.

limtohsoon · ‎01-19-2007

Hi All,

Thanks for your responses.

Say, all the switches are in the same VTP management domain. From what I understand from you all, I would need to create a unique VLAN, e.g. VLAN 123, which is neither used for user traffic nor any layer 3 routing. Then configure all 802.1Q trunk links with VLAN 123 as the native VLAN.

Correct me if I'm wrong.

Thank you.

B.Rgds,

Lim TS

Jon Marshall · ‎01-20-2007

Hi Lim

Yes you have understood correctly. Make sure you configure both ends of the trunk with the same native vlan number.

FYI - Cisco recommend vlan 999 for use as the native vlan but any vlan number that is not currently in use can be used.

HTH