cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2323
Views
0
Helpful
7
Replies

Cisco Small Business Equipment VLAN Security Question

mschubert1990
Level 1
Level 1

Hi, I have an RV220W router and a SG200-18 switch. I'm trying to configure my network to be as secure as possible...

The RV220W has the following VLAN configuration:

Port 1: Manage, DMZ, Business, Test, Diag, Home, and Nowhere (untagged)

Port 2-4: Unused (untagged) and DISABLED

All ports have been excluded from the default VLAN

The SG200-18 has the following VLAN configuration:

Port 1 (Trunk): Manage, DMZ, Business, Test, Diag, Home, and Nowhere (untagged)

Port 2-17 (Access): Unused (untagged) and DISABLED

Port 18 (Access): Manage (untagged) *being used to configure and manage the switch and router from a pc

All ports have been excluded from the default VLAN

I've set this up following the guidelines in the Cisco security best practices: http://www.cisco.com/warp/public/cc/pd/si/casi/ca6000/prodlit/vlnwp_wp.pdf

My questions regards hardening my network from Double-Encapsulated 802.1Q/Nested VLAN Attack. The whitepaper suggests disabling the Native/untagged VLAN from all trunk ports... Unfortunately the RV220W seems to require an untagged VLAN on every port (won't allow me to only have tagged vlans)... Can anyone suggest a more secure configuration given what I'm working with?

Thank you!

P.S. the switch allows me to configure a port in "General" mode where I can configure the Frame Type to "Admit Tagged Only" to only allow tagged traffic... I'm not sure if this would increase security??

1 Accepted Solution

Accepted Solutions

In terms of the vlan tag/untag yes. You have to accomodate the limitation of the router.

-Tom
Please mark answered for helpful posts

-Tom Please mark answered for helpful posts http://blogs.cisco.com/smallbusiness/

View solution in original post

7 Replies 7

jeffrrod
Level 4
Level 4

Dear Marc,

Thank you for reaching the Small Business Support Community.

I see no better way to prevent this Double-Encapsulated 802.1Q/Nested VLAN Attack on the SG200 than excluding ports from native VLAN, which you already did, and changing the default VLAN to something else but VLAN ID 1. The "admit tagged only" feature definitely increase your security.

I hope this answers your question and please do not hesitate to reach me back if there is anything I may assist you with.

Kind regards,

 

Jeffrey Rodriguez S. .:|:.:|:.
Cisco Customer Support Engineer

*Please rate the Post so other will know when an answer has been found.

Jeffrey Rodriguez S. .:|:.:|:. Cisco Customer Support Engineer *Please rate the Post so other will know when an answer has been found.

Hi Marc, on the RV220W you should be able to tag the vlan as you like from the drop down options.

So you should be able to tag the default/native vlan on the sg200 while running a tag packet on the router as well.

To add a new VLAN, click

Add Row

. Then enter these settings:

-

VLAN ID—

Enter a numerical VLAN ID that

will be assigned to endpoints

in the VLAN membership. The VLAN ID can range from 2 to 4094. VLAN

ID 1 is reserved for the default VLAN, which is used for untagged frames

received on the interface, and VLAN ID 4092 is reserved and cannot be

used. After a new VLAN entry is saved, the VLAN ID cannot be changed.

-

Description—

Enter a short description to identify this VLAN.

-

Inter VLAN Routing—

Check the box to enable routing between this and

other VLANS, or uncheck the box to disable this feature.

-

Device Management—

Check the box to enable this feature, or uncheck

the box to disable it. This setting determines whether or not clients can

access the Cisco RV220W Configuration Utility on this VLAN. To prevent

access to this utility from this VLAN, disable this feature.

-

Port 1-4—

For each of the ports, choose one of the following options:

-

Tagged

—Used when connecting to switches carrying multiple VLANs.

-

Untagged

—Access ports connecting to end devices like printers and

workstations.

-Tom
Please mark answered for helpful posts

-Tom Please mark answered for helpful posts http://blogs.cisco.com/smallbusiness/

Hi Jeff,

Thanks for getting back to me. I'm a little confused by your response... Did you mean 'excluding ports from the DEFAULT VLAN' and 'changing the NATIVE VLAN to something else'???

As well, can you explain how the "admit tagged only" feature would increase security.

Thank you.

Hi Tom,

Thank you for getting back to me on this.

I tried exactly what you suggested during the initial router configuration and the RV220W wouldn't allow me to not have an untagged VLAN on any port... When I select the native vlan for port 1 (connected to switch), which I've named: Nowhere, and select tagged and click save, it loads for a while and then says in red that there must be one untagged vlan on each port, or something like that... That's why I posted this question. I believe it is possible to set all VLANs to tagged on the switch, but I didn't try because the security best practices whitepaper said:

     "In cases where the native VLAN cannot be cleared, then always pick an unused VLAN as native

VLAN of all the trunks; don’t use this VLAN for any other purpose. Protocols like STP, DTP, and UDLD (check out

[3]) should be the only rightful users of the native VLAN and their traffic should be completely isolated from any

data packets."

Thank you.

P.S. I'm running the latest firmware on both the router and switch. Another issue I found with the VLAN setup on the router is that I can't disable "Device Administration" on any of the VLANs. If I uncheck that option and choose save, it saves it, but then after a reboot the option is checked and enabled again... Not sure why there's an option to configure it if it can't be controlled.

Hi Marc, I'd agree it should... If the router has this limitation then you'd need to move everything off the untagged vlan. So you could technically use vlan 1 native as the untagged between devices and all else on the different vlans.

-Tom Please mark answered for helpful posts http://blogs.cisco.com/smallbusiness/

As I have it now, the default VLAN "Default" has been excluded from all ports (on both router and switch) and I have an empty VLAN called "Nowhere" set as the untagged/native VLAN for the ports that connect the router and switch (trunk). So this is the best I can do in terms of security?

Thank you

In terms of the vlan tag/untag yes. You have to accomodate the limitation of the router.

-Tom
Please mark answered for helpful posts

-Tom Please mark answered for helpful posts http://blogs.cisco.com/smallbusiness/
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Switch products supported in this community
Cisco Business Product Family
  • CBS110
  • CBS220
  • CBS250
  • CBS350
Cisco Switching Product Family
  • 110
  • 200
  • 220
  • 250
  • 300
  • 350
  • 350X
  • 550X