From: anthony.sequeira@thomson.com
Date: Wed Jun 13 2007 - 17:13:22 ART
Let me try and paraphrase and clarify for you:
Native VLAN started out as a good idea with good intentions...but now
since it can contribute to attacks and the loss of classification, it
should be viewed as bad!
You are correct - it does not spell out how to clear the Native VLAN -
but I think we both agree, go ahead and assign a VLAN that does not
exist in your topology.
If you cannot do that for some reason (I have yet to see a switch reject
the Inactive VLAN approach), then assign a VLAN that you are not using
for any other purpose. Since you are not using this Native VLAN for any
data traffic, it will at most carry passive internal management traffic
such as UDLP.
Please keep in mind that earlier in this thread when I spoke of
Management traffic - I was referring to your own management of the
switches. This would be using protocols like Telnet or SSH, SNMP, etc.
This traffic should be assigned a VLAN in your environment that you
define. In the past, admins used VLAN 1 for this which is no longer
recommended.
I sincerely hope I am helping you understand all of this and not further
confusing you!
Anthony J Sequeira
#15626
________________________________
From: Irfan Siddiqui [mailto:Irfan.Siddiqui@vanco.co.uk]
Sent: Wednesday, June 13, 2007 2:10 PM
To: Sequeira, Anthony (NETg); ccielab@groupstudy.com
Subject: RE: benefit of using Native vlan
The Cisco document is crap when it comes to explaining this... and
contradicts it self
First it says :
On the other hand, the IEEE committee that defined 802.1Q decided that
because of backward compatibility it was desirable to support the
so-called native VLAN, that is to say, a VLAN that is not associated
explicitly to any tag on an 802.1Q link. This VLAN is implicitly used
for all the untagged traffic received on an 802.1Q capable port.
This capability is desirable because it allows 802.1Q capable ports to
talk to old 802.3 ports directly by sending and receiving untagged
traffic. However, in all other cases, it may be very detrimental because
packets associated with the native VLAN lose their tags, for example,
their identity enforcement, as well as their Class of Service (802.1p
bits) when transmitted over an 802.1Q link. (so it is desirable but then
NOT so desirable !!)
For these sole reasons-loss of means of identification and loss of
classification-the use of the native VLAN should be avoided. There is a
more subtle reason, though.
Then it says
.........As a matter of fact, the proper configuration that should
always be used is to clear the native VLAN from all 802.1Q trunks
(alternatively, setting them to 802.1q-all-tagged mode achieves the
exact same result). In cases where the native VLAN cannot be cleared,
then always pick an unused VLAN as native VLAN of all the trunks; don't
use this VLAN for any other purpose. Protocols like STP, DTP, and UDLD
(check out [3]) should be the only rightful users of the native VLAN and
their traffic should be completely isolated from any data packets.
So if you clear the native vlan (which it doesn't explain how to do
because default native vlan would always be 1 anyways) or use
"802.1q-all-tagged" how does this separate the management traffic
(Protocols like STP, DTP, and UDLD) from the data traffic. Does it tag
all management traffic with some special tag of its own (which cisco
have not documented anywhere), which separate it from other vlan tags.
There still seems to be no clear answer to this...
Irfan Siddiqui
V-SIP Changes Engineer
Vanco UK Limited, a Vanco plc Group Company
Units 1 and 2, Great West Plaza, Riverbank Way
Brentford, Middlesex, TW8 9RE
T +44 (0) 20 8636 1700
F +44 (0) 20 8636 1701
Vanco is the world's first Virtual Network Operator (VNO). Available in
230 countries and territories, clients can achieve maximum network
choice and flexibility, lowest lifetime cost, and a dedicated focus on
service excellence. To find out more please visit our website
http://www.vanco.info
Vanco.
Ultimate Network Freedom
-----Original Message-----
From: anthony.sequeira@thomson.com [mailto:anthony.sequeira@thomson.com]
Sent: 13 June 2007 17:47
To: Irfan Siddiqui; ccielab@groupstudy.com
Subject: RE: benefit of using Native vlan
For a couple of examples on why the Native VLAN can be dangerous, check
out the Double-Encapsulated 802.1Q/Nested VLAN Attack section of the
following document:
http://www.cisco.com/en/US/products/hw/switches/ps708/products_white_pap
er09186a008013159f.shtml
As far as setting the Native VLAN to an Inactive VLAN, I have not
verified, but I assume this effectively eliminates the Native VLAN
behavior. All traffic sent across the link will be tagged.
Some of Cisco's other security recommendations in this area include
creating a Management traffic VLAN other than VLAN 1, and placing all
ports in your network that you will not use into a VLAN other than VLAN
1.
So you notice - we really pick on the default VLAN of VLAN 1. It was the
default Native VLAN, and we eliminate that. We also remove ALL ports
from this VLAN.
Anthony J Sequeira
#15626
-----Original Message-----
From: Irfan Siddiqui [mailto:Irfan.Siddiqui@vanco.co.uk]
Sent: Wednesday, June 13, 2007 12:33 PM
To: Sequeira, Anthony (NETg); ccielab@groupstudy.com
Subject: RE: benefit of using Native vlan
You mention there are security issues in configuring a native vlan, what
are these??
Also if you configure a native vlan that doesn't actually exist in the
vlan database.. how does that work... does that mean untagged and
management taffic will just flow over a phantom vlan that doesn't
exist....
Please explain....
Would appreciate......
Irfan Siddiqui
V-SIP Changes Engineer
Vanco UK Limited, a Vanco plc Group Company
Units 1 and 2, Great West Plaza, Riverbank Way
Brentford, Middlesex, TW8 9RE
T +44 (0) 20 8636 1700
F +44 (0) 20 8636 1701
Vanco is the world's first Virtual Network Operator (VNO). Available in
230 countries and territories, clients can achieve maximum network
choice and flexibility, lowest lifetime cost, and a dedicated focus on
service excellence. To find out more please visit our website
Vanco.
Ultimate Network Freedom
-----Original Message-----
From: anthony.sequeira@thomson.com [mailto:anthony.sequeira@thomson.com]
Sent: 13 June 2007 17:19
To: Irfan Siddiqui; ccielab@groupstudy.com
Subject: RE: benefit of using Native vlan
I believe the concept of the Native VLAN originally arose as a safety
mechanism for Management traffic. For example, if a trunk link loses its
trunk status, the link can still pass the Management traffic as it is
not tagged.
Because there are security issues that the Native VLAN can introduce,
Cisco currently recommends that in high security environments, the
Native VLAN be set to an Inactive VLAN. In other words, set it to a VLAN
that does NOT exist in your topology. The trunk link will still work
just fine, and when you check the trunk status it will show that the
Native VLAN is Inactive.
Keep in mind that in the Certification Lab, we need to do whatever they
instruct us to do. As many have pointed out here before, the Lab Exam is
not a Best Practice type of test. If in the lab, they never mention
Native VLAN at all, explicitly or implicitly, then I would just leave it
alone (default settings).
Anthony J Sequeira
#15626
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Irfan Siddiqui
Sent: Wednesday, June 13, 2007 11:13 AM
To: Cisco certification
Subject: benefit of using Native vlan
Wonder if someone can advise...
What is the benefit of using a native vlan on a trunk. If you don't
define a native vlan on a trunk, I believe it uses vlan 1 as the native
vlan to pass the untag management traffic..
If you do define a native vlan, it will use that vlan to pass all the
untagged traffic... and you need to match it on both ends...
Also I believe there is a command to the effect that you can configure
native vlan to send tagged traffic as well.. dot1q tag native or
something....
But what is the benefit of configuring a native vlan vs . not
configuring one at all..
Does it have any other benefit, besides specifying what vlan to send
untagged traffic ?
Please help. Thanks in advance..
**********************************************************************
Any opinions expressed in the email are those of the individual and not
necessarily the company. This email and any files transmitted with it
are confidential and solely for the use of the intended recipient. If
you are not the intended recipient or the person responsible for
delivering it to the intended recipient, be advised that you have
received this email in error and that any dissemination, distribution,
copying or use is strictly prohibited.
If you have received this email in error, or if you are concerned with
the content of this email please e-mail to:
The contents of an attachment to this e-mail may contain software
viruses which could damage your own computer system. While the sender
has taken every reasonable precaution to minimise this risk, we cannot
accept liability for any damage which you sustain as a result of
software viruses. You should carry out your own virus checks before
opening any attachments to this e-mail.
Vanco UK Ltd Registered in England No: 2296733 Registered Office: John
Busch House, 277 London Road, Isleworth, Middlesex TW7 5AX
Please consider the environment before printing this e-mail
**********************************************************************
This archive was generated by hypermail 2.1.4 : Sun Jul 01 2007 - 17:24:49 ART