Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2109
Views
0
Helpful
0
Replies

VLAN 1 Hardening, Native VLANs, and Blackhole VLANs: What configuration is best?

cyberdog478
Level 1
Level 1

‎05-13-2015 06:54 PM - edited ‎03-08-2019 12:00 AM

I am trying to formalize the best practices for hardening a Cisco only switch infrastructure but want to understand why each step is necessary, I have outlined the recommendations I have heard and the justifications for them as I understand it below, with the exception of the last recommendation which I still don't understand.

 

1. Change Native VLAN to 99 (something not a data vlan and not 1).

Reason 1.a. Forces vlan1 traffic to be tagged (can then be dropped via not including vlan1 in the trunk allowed vlans list).

Reason 1.b. Forces untagged traffic to be tagged, to help thwart VLAN hopping/double encapsulation (sounds like something the IOS should/is already doing).

 

2. Change Management VLAN (say to VLAN 10) and place in-band SVIs on this VLAN.

Reason 2.a. Forces an IVR to be involved and vet traffic.

Reason 2.b. Prevents someone being placed into the default access vlan1 from being on the management network/access to SVI without passing through an IVR'd ACLs.

 

3. Only allow data/voice/management vlans on trunk-->drop VLAN1(default vlan) & VLAN99(native vlan).

Reason 3a. Prevents anyone placed in default vlan from getting beyond the switch.

Reason 3b. Control plane traffic will be sent even if VLAN99 is not allowed, so why keep it (no DTP being used).

 

4. Set all unused ports to blackhole VLAN other than blackholes 1 and 99 and shutdown.

Reason: Unsure

 

My questions:

Does the advice in #1 actually force tagging of VLAN1, or just consider VLAN1 as VLAN99 across the trunk?  If the latter is true, why bother changing the native vlan (assuming vlan hopping is not a modern concern).  Further, if this is true, not allowing vlan1 on the trunk would solve both #1s untagged traffic concerns, and #4s unused port concerns.

 

If this is not true, I still do not understand why the blackhole vlan should be separate from VLAN1 or VLAN99 assuming that #3 has been followed disallowing vlan1&99 from the trunk.  (Except for maybe human reasons of forcing an admin to think about what vlan should be used when performing a noshut later.)  This would mean that the default vlan VLAN1 would be a blackhole (not routed or even have data carried across the trunk) thus meeting the blackhold requirement.

 

Any advice or sources would be greatly appreciated.  I have found discussions on all 4 of these recommendations individually, but not altogether.  Perhaps not all 4 recommendations above need to be done together but only a sampling?

 

Thanks,

Robert

 

 

 

 

 

Labels:
0 Helpful
0 Replies 0
Customers Also Viewed These Support Documents