Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Chriss Miller on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

3750 Switchport configuration 1

Status
Not open for further replies.
wabob

wabob

IS-IT--Management
Joined
Sep 21, 2004
Messages
128
Location
US
I did a show run on a 3750 and on one interface it shows this:

interface FastEthernet 1/0/24
switchport access vlan 5
switchport trunk encapsulation dot1q
switchport mode trunk

If this switchport is configured as a trunk, does "switchport access vlan 5" mean anything?

Should it be changed to "switchport access vlan 1"?
 
Sort by date Sort by votes
No it doesn't mean anything currently, but if you change the mode of the port back to an access port or dynamic and it doesn't negotiate to be a trunk then it will become an access port in VLAN 5.

What I generally do is set the Native and Access VLAN's to be the same on trunk interfaces - I realise only one setting is relevent at any one time (trunk or access) but to keep things consistent this is what I do.

I notice you haven't set a unique Native VLAN and so VLAN 1 will be used - I assume you are aware of the security issues here?

Andy
 
Upvote 0 Downvote
I know in 802.1q VLAN 1 is the Native VLAN by default.

What I'm hearing is that if I change the switchport access to VLAN 1, then it really shouldn't affect anything unless the switchport is no longer a trunk.

Can you elaborate on the "security issues"?

Are there advantages to a unique Native VLAN rather than using the default VLAN 1?
 
Upvote 0 Downvote
If you read the Cisco best practises it is recommended to use unique Native VLAN's for each Trunk. For example Distribution switch #1 has 10 trunks to access switches, trunk 1 will carry data vlan 10, and voice vlan 110, the Native vlan will be 1010, trunk #2 will carry data vlan #11, voice vlan 111 and Native vlan 1011 etc. The Native VLAN's should NOT be configured with any Layer-3 interfaces, neither should they be allowed on the trunk itself, they do however need to exist at layer-2; i.e.:

vlan 10
vlan 110
vlan 1011
!
interface GigabitEthernet3/1
switchport
switchport trunk encapsulation dot1q
switchport mode trunk
switchport nonegotitate
switchport trunk native vlan 1010
switchport trunk allowed vlan 10,110
!


The security issue is the ability to hop between vlans with specifically crafted packets. Quote from CCO:

"When double-encapsulated 802.1Q packets are injected into the network from a device whose VLAN happens to be the native VLAN of a trunk, the VLAN identification of those packets cannot be preserved from end to end since the 802.1Q trunk would always modify the packets by stripping their outer tag. After the external tag is removed, the internal tag permanently becomes the packet's only VLAN identifier. Therefore, by double-encapsulating packets with two different tags, traffic can be made to hop across VLANs."


This is quite well documented and has been exposed although not explotited very much.

HTH

Andy
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

atascoman
  • Locked
  • Question Question
3750 to 3850 QoS commands
Replies
1
Views
463
ADB100
ADB100
Tariq Habaybeh
  • Locked
  • Question Question
Cisco 881WD-E-K9 router configuration
Replies
1
Views
379
burtsbees
burtsbees
chazzmanbm
  • Locked
  • Question Question
Cisco ASA 9.2 SSH Configuration
Replies
1
Views
358
iggsterman
iggsterman
clark72
  • Locked
  • Question Question
VRF Lite Configuration
Replies
0
Views
208
clark72
clark72
Sycho123321
  • Locked
  • Question Question
T1 wic configuration
Replies
0
Views
218
Sycho123321
Sycho123321

Part and Inventory Search

Sponsor

Back
Top