Question about default native vlan for those who manages large Cisco network

Notice: Page may contain affiliate links for which we may earn a small commission through services like Amazon Affiliates or Skimlinks.
A

azev

Well-Known Member
Jan 18, 2013
769
251
63
Cisco recommends changing native vlans from default of vlan 1 to another vlan as a security best security practice in their documentation. Does anyone know why ?

If vlan 1 is not being use to pass user/data traffic and only use to pass the "control traffic" (only cdp in my case) what kind of security vulnerability does this setup pose ?
 
Last edited:
Terry Kennedy

Terry Kennedy

Well-Known Member
Jun 25, 2015
1,142
594
113
New York City
www.glaver.org
azev said:
Cisco recommends changing native vlans from default of vlan 1 to another vlan as a security best security practice in their documentation. Does anyone know why ?

If vlan 1 is not being use to pass user/data traffic and only use to pass the "control traffic" (only cdp in my case) what kind of security vulnerability does this setup pose ?
Click to expand...
We don't enable native VLAN on our network. [Native VLAN simply assigns a VLAN ID to untagged packets received on a port - without native VLAN those packets are discarded.] We also set all unused ports to a "sink" VLAN which is never expected to have actual traffic and which isn't routed anywhere.

If you have other equipment that assumes untagged packets are VLAN 1 (always-enabled native VLAN) then any untagged packets entering on that equipment will have full access to whatever other stuff exists on VLAN 1.
 
You must log in or register to reply here.
Top Bottom