INTELLIGENT WORK FORUMS
FOR COMPUTER PROFESSIONALS

Log In

Come Join Us!

Are you a
Computer / IT professional?
Join Tek-Tips Forums!
  • Talk With Other Members
  • Be Notified Of Responses
    To Your Posts
  • Keyword Search
  • One-Click Access To Your
    Favorite Forums
  • Automated Signatures
    On Your Posts
  • Best Of All, It's Free!

*Tek-Tips's functionality depends on members receiving e-mail. By joining you are opting in to receive e-mail.

Posting Guidelines

Promoting, selling, recruiting, coursework and thesis posting is forbidden.

Jobs

Native VLAN

Native VLAN

(OP)
Guys

My proposed VLAN is below

1 Disable
2 User VLAN
3 Voice VLAN
30 Factory VLAN
60 Management VLAN

In this scenario which should be the native VLAN on the switches ? I am guessing 2 (as it my main vlan) as if devices are behind hubs this is where untagged traffic gets sent ?

RE: Native VLAN

depends...
if you want security - native vlan should be a black hole that is not used in any of your actual work...
actually that is it.. I dont see a benefit to be honest on having one of your 'production' vlans as a native one.. it takes less time to type 'swit tru all vlan add xxx' since you are already adding SOME vlans to the trunk anyways..

your users do not have to trunk up..im assuming they are using PC/workstations.. so they will always be an access port.
the trunks carrying data can tag and untag all your vlans so there is no need to have a 'production' vlan as a native one.

having your native be a vlan you dont use stops some attacks such as double tagging vlan hopping...
http://www.ciscopress.com/articles/article.asp?p=2...


We must go always forward, not backward
always up, not down and always twirling twirling towards infinity.

RE: Native VLAN

So, ...
99 BlackHole VLAN
And apply it as the Native VLAN on all dot1q links.

RE: Native VLAN

Cisco design best practises say each 802.1q trunk should have its own unique native VLAN - so switch 1 to switch 2 trunk will use 3000, switch 1 to switch 3 will use 3001 etc. You should also only allow the required VLANs on each trunk and exclude all others - even the native VLAN -

CODE

interface GigabitEthernet0/23
 switchport access vlan 3999
 switchport trunk encapsulation dot1q
 switchport trunk native vlan 3999
 switchport trunk allowed vlan 300,305,310
 switchport mode trunk
 switchport nonegotiate 

Andy

RE: Native VLAN

I just, normally, set the most utilised VLAN as the Native

RE: Native VLAN

Depends how paranoid you are. It's all about covering your butt.
Personally, my thinking is that for only a very slight bit of extra work you can follow ADB100's suggestion and later on down the track anybody else looking at your configurations will see you've done a professional job, and nobody's going to badmouth you if some sort of VLAN-hopping security incident takes place.

RE: Native VLAN

yes Vince ... what ADB100 said..

We must go always forward, not backward
always up, not down and always twirling twirling towards infinity.

Red Flag This Post

Please let us know here why this post is inappropriate. Reasons such as off-topic, duplicates, flames, illegal, vulgar, or students posting their homework.

Red Flag Submitted

Thank you for helping keep Tek-Tips Forums free from inappropriate posts.
The Tek-Tips staff will check this out and take appropriate action.

Reply To This Thread

Posting in the Tek-Tips forums is a member-only feature.

Click Here to join Tek-Tips and talk with other members!

Resources

Close Box

Join Tek-Tips® Today!

Join your peers on the Internet's largest technical computer professional community.
It's easy to join and it's free.

Here's Why Members Love Tek-Tips Forums:

Register now while it's still free!

Already a member? Close this window and log in.

Join Us             Close