I’m trying to figure out what native vlan should be on my trunked ports.<\/p>\n
For example: On a Cisco firewall if I have a port that is trunked for vlans 10,11,12 and that port is connected to a switch. I understand that for any non tagged traffic (traffic not from vlans 10.,11,.12) will go through the native vlan.<\/p>\n
But what should I make the native vlan? Should I make it the same as one of the vlans being trunked, or create a new vlan, say vlan 13, and use that as the native vlan on the ASA trunked port?<\/p>\n
interface Ethernet0/1<\/p>\n
switchport trunk allowed vlan 10,11,12<\/p>\n
switchport trunk native vlan 10<\/p>\n
switchport mode trunk<\/p>","upvoteCount":3,"answerCount":8,"datePublished":"2016-05-18T16:42:27.000Z","author":{"@type":"Person","name":"hamiltonrice4995","url":"https://community.spiceworks.com/u/hamiltonrice4995"},"acceptedAnswer":{"@type":"Answer","text":"\n\n
<\/div>\n
tolinrome:<\/div>\n
\nWhat if i dont even trunk native vlan traffic? Pro s cons? Since untagged traffic will go on the native vlan, what traffic might that be…non data traffic such as cdp, etc?<\/p>\n<\/blockquote>\n<\/aside>\n
As an attacker will know the all untagged traffic will go over VLAN 1, lateral movement around a system is easier.
If you have additional links, these trunks will have different VLANs (only on them) and this make VLAN hopping a hell of a lot harder. It’s also sensible to only allow what VLANs that are needed down the trunk.<\/p>","upvoteCount":0,"datePublished":"2016-05-18T19:03:55.000Z","url":"https://community.spiceworks.com/t/native-vlan-on-a-trunk/497468/7","author":{"@type":"Person","name":"brianwhelton","url":"https://community.spiceworks.com/u/brianwhelton"}},"suggestedAnswer":[{"@type":"Answer","text":"
I’m trying to figure out what native vlan should be on my trunked ports.<\/p>\n
For example: On a Cisco firewall if I have a port that is trunked for vlans 10,11,12 and that port is connected to a switch. I understand that for any non tagged traffic (traffic not from vlans 10.,11,.12) will go through the native vlan.<\/p>\n
But what should I make the native vlan? Should I make it the same as one of the vlans being trunked, or create a new vlan, say vlan 13, and use that as the native vlan on the ASA trunked port?<\/p>\n
interface Ethernet0/1<\/p>\n
switchport trunk allowed vlan 10,11,12<\/p>\n
switchport trunk native vlan 10<\/p>\n
switchport mode trunk<\/p>","upvoteCount":3,"datePublished":"2016-05-18T16:42:27.000Z","url":"https://community.spiceworks.com/t/native-vlan-on-a-trunk/497468/1","author":{"@type":"Person","name":"hamiltonrice4995","url":"https://community.spiceworks.com/u/hamiltonrice4995"}},{"@type":"Answer","text":"
Anything but vlan 1 is fine.<\/p>","upvoteCount":0,"datePublished":"2016-05-18T16:57:11.000Z","url":"https://community.spiceworks.com/t/native-vlan-on-a-trunk/497468/2","author":{"@type":"Person","name":"theciscoguy","url":"https://community.spiceworks.com/u/theciscoguy"}},{"@type":"Answer","text":"
The native VLAN should also be distinct from all user VLANs. Be sure it is the same on both ends of the trunk link.<\/p>","upvoteCount":0,"datePublished":"2016-05-18T17:00:16.000Z","url":"https://community.spiceworks.com/t/native-vlan-on-a-trunk/497468/3","author":{"@type":"Person","name":"theciscoguy","url":"https://community.spiceworks.com/u/theciscoguy"}},{"@type":"Answer","text":"
You can’t have traffic that is tagged and traffic that is untagged on the same vlan on the same port. So, you’d have to choose a vlan that is different than your tagged vlans.<\/p>","upvoteCount":0,"datePublished":"2016-05-18T17:09:13.000Z","url":"https://community.spiceworks.com/t/native-vlan-on-a-trunk/497468/4","author":{"@type":"Person","name":"Robert5205","url":"https://community.spiceworks.com/u/Robert5205"}},{"@type":"Answer","text":"
What if i dont even trunk native vlan traffic? Pro s cons? Since untagged traffic will go on the native vlan, what traffic might that be…non data traffic such as cdp, etc?<\/p>","upvoteCount":0,"datePublished":"2016-05-18T17:42:05.000Z","url":"https://community.spiceworks.com/t/native-vlan-on-a-trunk/497468/5","author":{"@type":"Person","name":"hamiltonrice4995","url":"https://community.spiceworks.com/u/hamiltonrice4995"}},{"@type":"Answer","text":"
How many trunks do you have?
So I will create vlan 50 say for native vlan traffic and put that on the trunk.<\/p>","upvoteCount":1,"datePublished":"2016-05-18T19:24:10.000Z","url":"https://community.spiceworks.com/t/native-vlan-on-a-trunk/497468/8","author":{"@type":"Person","name":"hamiltonrice4995","url":"https://community.spiceworks.com/u/hamiltonrice4995"}}]}}
I’m trying to figure out what native vlan should be on my trunked ports.
For example: On a Cisco firewall if I have a port that is trunked for vlans 10,11,12 and that port is connected to a switch. I understand that for any non tagged traffic (traffic not from vlans 10.,11,.12) will go through the native vlan.
But what should I make the native vlan? Should I make it the same as one of the vlans being trunked, or create a new vlan, say vlan 13, and use that as the native vlan on the ASA trunked port?
interface Ethernet0/1
switchport trunk allowed vlan 10,11,12
switchport trunk native vlan 10
switchport mode trunk
3 Spice ups
Anything but vlan 1 is fine.
The native VLAN should also be distinct from all user VLANs. Be sure it is the same on both ends of the trunk link.
You can’t have traffic that is tagged and traffic that is untagged on the same vlan on the same port. So, you’d have to choose a vlan that is different than your tagged vlans.
What if i dont even trunk native vlan traffic? Pro s cons? Since untagged traffic will go on the native vlan, what traffic might that be…non data traffic such as cdp, etc?
How many trunks do you have?
As an attacker will know the all untagged traffic will go over VLAN 1, lateral movement around a system is easier.
If you have additional links, these trunks will have different VLANs (only on them) and this make VLAN hopping a hell of a lot harder. It’s also sensible to only allow what VLANs that are needed down the trunk.
So I will create vlan 50 say for native vlan traffic and put that on the trunk.
1 Spice up
