Trunk Native VLAN

hamiltonrice4995 · 2015-07-15T20:01:11.000Z

Hello,

I’m trying to understand better native vlan trunking. Maybe someone can please help explain? I understand trunking and vlans and I know that on the trunked port I can allow whatever vlans I want to and I know that the native vlan carries non tagged frames.

So for example, if I have say 3 vlans and a native vlan

vlan 10, vlan 20, vlan 30 and I have the command on the trunked port “switchport trunk allowed vlan 10,20,30”

so all those vlans will pass on the trunk correct? And native vlan 1 will pass all the telnet, cdp, traffic etc, correct?

Also how do I change the native vlan?

Thanks.

justin1250 · 2015-07-15T20:44:48.000Z

I believe you will also have to add the native vlan to the allowed vlans list.

To change the native vlan it is

conf t

Interface (interface number)

switchport trunk native vlan (vlan #)

Edit: fat fingered an extra word in there

mark6030 · 2015-07-15T21:07:34.000Z

Not quite.

Switch(config-if)#switchport mode trunk (creates a static trunk)
Switch(config-if)#switchport trunk native vlan x

The Native VLAN does need to be added to the vlan allowed list.

When a VLAN other than 1 is used as the Native VLAN then VLAN 1 traffic will attract a DOT1Q tag.

soconnor · 2015-07-15T21:15:20.000Z

Don’t configure a native VLAN unless you have to. You’re increasing you attack surface with the potential of VLAN hopping (Dot1q hopping some call it).

http://packetlife.net/blog/2010/feb/22/experimenting-vlan-hopping/

en.wikipedia.org

VLAN hopping

VLAN hopping is a computer security exploit, a method of attacking networked resources on a virtual LAN (VLAN). The basic concept behind all VLAN hopping attacks is for an attacking host on a VLAN to gain access to traffic on other VLANs that would normally not be accessible. There are two primary methods of VLAN hopping: switch spoofing and double tagging. Both attack vectors can be mitigated with proper switch port configuration. In a switch spoofing attack, an attacking host imitates a tru...

Edit:Spelling

mark6030 · 2015-07-15T21:48:15.000Z

Native VLAN config or not the risk is still the same. It requires the attacker to have physical access to the network. There SHOULD be several layers of defence here.

Building security should not let unauthorised people in to the building. Of course a disgruntled employee might be attacking the network so…

2.Make sure any un-used interfaces are configured for an un-used VLAN which is pruned at EVERY trunk interface. The interfaces should also be shut down.

Again the disgruntled employee may use his own interface or the attacker may use a known working interface by sitting at the desk of an employee and plugging in. In either case mitigating this attack can be very difficult.

brianwhelton · 2015-07-16T10:34:14.000Z

Justin1250:

I believe you will also have to add the native vlan to the allowed vlans list.

To change the native vlan it is

conf t

Interface (interface number)

switchport trunk native vlan (vlan #)

Edit: fat fingered an extra word in there

Obliviously create the VLAN to be used as well!