From: anthony.sequeira@thomson.com
Date: Wed Jun 13 2007 - 13:46:57 ART
For a couple of examples on why the Native VLAN can be dangerous, check
out the Double-Encapsulated 802.1Q/Nested VLAN Attack section of the
following document:
http://www.cisco.com/en/US/products/hw/switches/ps708/products_white_pap
er09186a008013159f.shtml
As far as setting the Native VLAN to an Inactive VLAN, I have not
verified, but I assume this effectively eliminates the Native VLAN
behavior. All traffic sent across the link will be tagged.
Some of Cisco's other security recommendations in this area include
creating a Management traffic VLAN other than VLAN 1, and placing all
ports in your network that you will not use into a VLAN other than VLAN
1.
So you notice - we really pick on the default VLAN of VLAN 1. It was the
default Native VLAN, and we eliminate that. We also remove ALL ports
from this VLAN.
Anthony J Sequeira
#15626
-----Original Message-----
From: Irfan Siddiqui [mailto:Irfan.Siddiqui@vanco.co.uk]
Sent: Wednesday, June 13, 2007 12:33 PM
To: Sequeira, Anthony (NETg); ccielab@groupstudy.com
Subject: RE: benefit of using Native vlan
You mention there are security issues in configuring a native vlan, what
are these??
Also if you configure a native vlan that doesn't actually exist in the
vlan database.. how does that work... does that mean untagged and
management taffic will just flow over a phantom vlan that doesn't
exist....
Please explain....
Would appreciate......
Irfan Siddiqui
V-SIP Changes Engineer
Vanco UK Limited, a Vanco plc Group Company
Units 1 and 2, Great West Plaza, Riverbank Way
Brentford, Middlesex, TW8 9RE
T +44 (0) 20 8636 1700
F +44 (0) 20 8636 1701
Vanco is the world's first Virtual Network Operator (VNO). Available in
230 countries and territories, clients can achieve maximum network
choice and flexibility, lowest lifetime cost, and a dedicated focus on
service excellence. To find out more please visit our website
http://www.vanco.info
Vanco.
Ultimate Network Freedom
-----Original Message-----
From: anthony.sequeira@thomson.com [mailto:anthony.sequeira@thomson.com]
Sent: 13 June 2007 17:19
To: Irfan Siddiqui; ccielab@groupstudy.com
Subject: RE: benefit of using Native vlan
I believe the concept of the Native VLAN originally arose as a safety
mechanism for Management traffic. For example, if a trunk link loses its
trunk status, the link can still pass the Management traffic as it is
not tagged.
Because there are security issues that the Native VLAN can introduce,
Cisco currently recommends that in high security environments, the
Native VLAN be set to an Inactive VLAN. In other words, set it to a VLAN
that does NOT exist in your topology. The trunk link will still work
just fine, and when you check the trunk status it will show that the
Native VLAN is Inactive.
Keep in mind that in the Certification Lab, we need to do whatever they
instruct us to do. As many have pointed out here before, the Lab Exam is
not a Best Practice type of test. If in the lab, they never mention
Native VLAN at all, explicitly or implicitly, then I would just leave it
alone (default settings).
Anthony J Sequeira
#15626
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Irfan Siddiqui
Sent: Wednesday, June 13, 2007 11:13 AM
To: Cisco certification
Subject: benefit of using Native vlan
Wonder if someone can advise...
What is the benefit of using a native vlan on a trunk. If you don't
define a native vlan on a trunk, I believe it uses vlan 1 as the native
vlan to pass the untag management traffic..
If you do define a native vlan, it will use that vlan to pass all the
untagged traffic... and you need to match it on both ends...
Also I believe there is a command to the effect that you can configure
native vlan to send tagged traffic as well.. dot1q tag native or
something....
But what is the benefit of configuring a native vlan vs . not
configuring one at all..
Does it have any other benefit, besides specifying what vlan to send
untagged traffic ?
Please help. Thanks in advance..
**********************************************************************
Any opinions expressed in the email are those of the individual and not
necessarily the company. This email and any files transmitted with it
are confidential and solely for the use of the intended recipient. If
you are not the intended recipient or the person responsible for
delivering it to the intended recipient, be advised that you have
received this email in error and that any dissemination, distribution,
copying or use is strictly prohibited.
If you have received this email in error, or if you are concerned with
the content of this email please e-mail to:
e-security.support@vanco.info
The contents of an attachment to this e-mail may contain software
viruses which could damage your own computer system. While the sender
has taken every reasonable precaution to minimise this risk, we cannot
accept liability for any damage which you sustain as a result of
software viruses. You should carry out your own virus checks before
opening any attachments to this e-mail.
Vanco UK Ltd Registered in England No: 2296733 Registered Office: John
Busch House, 277 London Road, Isleworth, Middlesex TW7 5AX
Please consider the environment before printing this e-mail
**********************************************************************
This archive was generated by hypermail 2.1.4 : Sun Jul 01 2007 - 17:24:49 ART