Solved: Native vlan in wireless and security recomendations

rodrigoaantunes · ‎08-04-2025

Hello, there is a CISCO recomendation that says the native vlan has to be an unused vlan (a dummy vlan) in order to prevent VLAN hopping attacks.

How to achieve this in a wireless scenario?

I have a virtual wireless controller and a lot of flex connect aps in local swithing mode.

The ap management interface is in vlan 2.

The ap ports on the switches are trunk with native vlan 2. If I change the native vlan to a dummy vlan the aps don't work.

So how can achieve the cisco recomendation? I think is unsecure to allow the management traffic in the native vlan.

JPavonM · ‎08-05-2025

That Cisco recommendation is for trunk ports connecting switches, not for trunk ports on access ports like those for APs or VoIp phones, where the native VLAN use to be used to host the device.

OR, you can use a dummy native VLAN, and setup management VLAN with a tag and configure that under the "WLAN VLAN mapping section", but for that you need to pre-stage the AP so adding more admin tasks.

I would recommend not to use dummy VLANs facing APs or phones.

View solution in original post

MHM Cisco World · ‎08-04-2025

you use wlc 9800 ?

MHM

rodrigoaantunes · ‎08-04-2025

No, it is the old virtual wireless controller, version 8.5

MHM Cisco World · ‎08-04-2025

so you use flex AP and AirOS
there is option in WLAN VLAN mapping to set native VLAN AP will use
make sure the native VLAN is matching the AP trunk native vlan

rodrigoaantunes · ‎08-04-2025

What does the "override vlan on AP" actually does? Why do I need this option?

MHM Cisco World · ‎08-04-2025

NO, only NATIVE VLAN option what you need
other option keep as it defualt

MHM

rodrigoaantunes · ‎08-04-2025

But do you know what that option does?

MHM Cisco World · ‎08-04-2025

First do you see wlan ID and it vlan ID when open this tab?

MHM

Saikat Nandy · ‎08-04-2025

VLAN hopping attack refers to the default VLAN - VLAN1. Please have a look - https://learningnetwork.cisco.com/s/blogs/a0D3i000002SKPREA4/vlan1-and-vlan-hopping-attack

Now what you said is correct. You are having flex AP and that's how the switchport config should be. Native vlan from where your APs are getting IP address and in the trunk you should allow rest of the vlan where client traffic should be. There is nothing wrong in this config.

rodrigoaantunes · ‎08-04-2025

But in this way all the management traffic is in the native vlan which is not recommended by cisco.

Saikat Nandy · ‎08-04-2025

The recommendation is not to use VLAN 1 - the default native vlan. Please have a look into the link which talks about how VLAN 1 is related to VLAN hopping attack. In your case, your AP management native vlan is 2.

rodrigoaantunes · ‎08-04-2025

The link says this: "Use a native VLAN on the trunk connection that is not used anywhere else on the switch. "
But this vlan is used for AP management. Shouldn't the ap management be in a tagged vlan?

And AI said this:

Using an active VLAN (like the AP management VLAN) as the native VLAN increases the risk of attacks. An attacker who manages to connect to the trunk port (even if unauthorized) can send untagged traffic and potentially access the native VLAN, which in your case is the AP's management VLAN.

Why Is This a Risk Now?

By configuring VLAN 2 as native on the switch and also including it in the trunk allowed VLAN list (for the AP to function), and knowing that VLAN 2 is used for AP management, you're exposing this management VLAN.

Risk Scenario:

An attacker gains physical access to the network and connects to a port configured as a trunk.
Even if the attacker doesn't know the allowed VLANs or doesn't have access to devices that generate tagged traffic, they can send untagged packets.
These untagged packets will be automatically associated with the native VLAN (VLAN 2) by the switch.
Since VLAN 2 carries the AP management traffic, the attacker can try to exploit vulnerabilities in that network segment to gain access to the AP, WLC, or other management devices.

rodrigoaantunes · ‎08-05-2025

Ok, the ap is in the trunk with native vlan 2, should the vlan2 be in the trunk allowed list?

MHM Cisco World · ‎08-05-2025

I mention before yoh run flex or local' I check your reply you use local so vlan mapping is not work for local.

Forget secuirty concern for a sec' when you change native vlan to any vlan other than vlan 2 the AP is no longer connect to wlc ? Confirm that.

And Yes all vlan include native vlan must allow in trunk

MHM

JPavonM · ‎08-05-2025

That Cisco recommendation is for trunk ports connecting switches, not for trunk ports on access ports like those for APs or VoIp phones, where the native VLAN use to be used to host the device.

OR, you can use a dummy native VLAN, and setup management VLAN with a tag and configure that under the "WLAN VLAN mapping section", but for that you need to pre-stage the AP so adding more admin tasks.

I would recommend not to use dummy VLANs facing APs or phones.