Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
8502
Views
15
Helpful
5
Replies

Why Vlan 1 is so insecure ?

Go to solution
Roger.Nature
Level 1
Level 1

‎05-07-2019 08:33 AM

Hello guys,

I am trying to understand why the Vlan 1 is so insecure. Any help would be appreciate it!

Thanks in advance

1 person had this problem
Labels:
0 Helpful
3 Accepted Solutions

Accepted Solutions

Go to solution
Seb Rupik
VIP Alumni
VIP Alumni

‎05-07-2019 08:57 AM

Hi there,

Keep in mind two facts about default configuration on cisco switches. By default all switchports are in VLAN1 and on a trunk link VLAN1 is the native VLAN.

 

So this means that a device connected to a default switchport on one switch could communicate at Layer2 to a device somewhere else on your network which is also on VLAN1. Essentially you have a broadcast domain which you have not explicitly designed. From a security perspective we like networks which are explicitly defined, that way we know what traffic to expect….to a certain degree!

 

To mitigate this problem there are two fixes. The first is to place all unused switchports in a VLAN other than 1. Whatever this VLAN ID, it should not be trunked off the switch.

Combine this with defining the native VLAN ID on your trunk links to a number other than 1 (at both ends of the link). This ensures VLAN1 is actually tagged on the trunk link.

Both of these steps help to break up and give visibility to the VLAN1 broadcast domain.

 

…and remember VLAN1 is used by control traffic, so don’t try blocking, just don’t try mixing user traffic in with it.

 

Cheers,

Seb.

View solution in original post

Go to solution
luis_cordova
VIP Alumni
VIP Alumni

‎05-07-2019 09:33 AM

Hi @Roger.Nature ,

 

The Vlan1 itself is not insecure, even many still occupy it.

The insecure thing is that everyone knows that it is the Vlan by default.

And as already mentioned, you can be a victim of attacks by this vulnerability. Therefore it is recommended not to use it to switching/routing end devices.

It is also recommended to leave disabled ports (shutdown) that are not occupying.

 

Regards

View solution in original post

5 Replies 5

Go to solution
Seb Rupik
VIP Alumni
VIP Alumni

‎05-07-2019 08:57 AM

Hi there,

Keep in mind two facts about default configuration on cisco switches. By default all switchports are in VLAN1 and on a trunk link VLAN1 is the native VLAN.

 

So this means that a device connected to a default switchport on one switch could communicate at Layer2 to a device somewhere else on your network which is also on VLAN1. Essentially you have a broadcast domain which you have not explicitly designed. From a security perspective we like networks which are explicitly defined, that way we know what traffic to expect….to a certain degree!

 

To mitigate this problem there are two fixes. The first is to place all unused switchports in a VLAN other than 1. Whatever this VLAN ID, it should not be trunked off the switch.

Combine this with defining the native VLAN ID on your trunk links to a number other than 1 (at both ends of the link). This ensures VLAN1 is actually tagged on the trunk link.

Both of these steps help to break up and give visibility to the VLAN1 broadcast domain.

 

…and remember VLAN1 is used by control traffic, so don’t try blocking, just don’t try mixing user traffic in with it.

 

Cheers,

Seb.

Go to solution
Roger.Nature
Level 1
Level 1
In response to Seb Rupik

‎05-07-2019 12:36 PM

Thank you so much Seb for taking the time to provide that response. Very helpful !!

0 Helpful

Go to solution
luis_cordova
VIP Alumni
VIP Alumni

‎05-07-2019 09:33 AM

Hi @Roger.Nature ,

 

The Vlan1 itself is not insecure, even many still occupy it.

The insecure thing is that everyone knows that it is the Vlan by default.

And as already mentioned, you can be a victim of attacks by this vulnerability. Therefore it is recommended not to use it to switching/routing end devices.

It is also recommended to leave disabled ports (shutdown) that are not occupying.

 

Regards

Go to solution
Roger.Nature
Level 1
Level 1
In response to luis_cordova

‎05-07-2019 12:35 PM

Thank you so much!! I really appreciate it !!!

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card