?
Solved

Changing Native Vlan in Cisco Switch

Posted on 2014-11-25
12
Medium Priority
?
584 Views
Last Modified: 2014-12-06
If I understand ,Cisco Switches have VLAN 1 as the default native Vlan.
Many resources say that leaving Native VLAN to VLAN 1, can be security breach.
1- Can someone explain why leaving VLAN 1 can be security breach  ?
2- If I need to change Native VLAN 1 to VLAN 777, I believe this is done at the Interface Level. Does that mean I need to go to each switch and change the interfaces that are in VLAN1 to VLAN 777 ?
3- if some switches Native VLAN is VLAN1 and some is VLAN 777, does that mean traffic coming from those Native Vlans will be forwarding to all ports on the switch...
in other words if a PC is connected to Native Vlan , will be able to ping another PC which is connected to VLAN 33 and the other way around is also True?

Thank you
0
Comment
Question by:jskfan
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 6
12 Comments
 
LVL 50

Assisted Solution

by:Don Johnston
Don Johnston earned 2000 total points
ID: 40465073
1) There is some management traffic that is carried by VLAN1 (DTP, VTP, CDP, etc.). Given the right circumstances, it is possible for a knowledgeable, hacker type person to get traffic onto the native VLAN of a trunk.  If the native VLAN is left to the default of VLAN 1, they could affect the traffic on that VLAN.  That's why it's recommended to change the native VLAN to something other than 1.  Preferably to a VLAN which is not used for anything else.
2) Correct. You have to go to every trunking interface on every switch to change the native VLAN.
3) Not sure that I'm following your scenario. All the native VLAN means is that is it not tagged. All other rules still apply.  Which means if you're connected to an access port in VLAN 8, you will only be able to communicate with other devices in VLAN 8.
0
 

Author Comment

by:jskfan
ID: 40465138
vlan
in the topology above, R1 e2/2 IP =1.1.1.1/24 and R2 e2/2 IP=1.1.1.2/24
both interfaces can ping each other.
I changed Native Vlan for Switch2  e2/2:
interface Ethernet2/2
 switchport trunk native vlan 777

Still both interfaces on R1 and R2 can ping each other. However when I run : Show Vlan Brief, it still shows e2/2 on SW2 in VLAN1 and native VLAN 777, does not show up:
SW2#sh vlan brief

VLAN Name                             Status    Ports
---- -------------------------------- --------- -------------------------------
1    default                          active    Et0/1, Et0/2, Et0/3, Et1/0
                                                Et1/2, Et1/3, Et2/0, Et2/1
                                                Et2/2, Et2/3, Et3/0, Et3/1
                                                Et3/2, Et3/3
55   VLAN0055                         active    
66   VLAN0066                         active    
77   VLAN0077                         active    
88   VLAN0088                         active    
1002 fddi-default                     act/unsup
1003 token-ring-default               act/unsup
1004 fddinet-default                  act/unsup
1005 trnet-default                    act/unsup
SW2#
0
 
LVL 50

Expert Comment

by:Don Johnston
ID: 40465146
The native VLAN is only a factor on trunks.

E2/2 is not a trunk. So issuing the command "switchport trunk native vlan 777" has no effect on this interface.
1
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 

Author Comment

by:jskfan
ID: 40465315
I made e2/2 on SW2 as Trunk then changed its native Vlan to 777
Now I cannot ping from R1 to R2.
I thought 2 interfaces in 2 different Native Vlans will still be able to Ping each other ?
0
 
LVL 50

Expert Comment

by:Don Johnston
ID: 40465356
I would stick to keeping the trunk links limited to inter-switch links until you've got a better handle on things. Otherwise you're just going to confuse yourself.

Lets call trunks to end stations an Advanced Topic for now. ;-)
0
 

Author Comment

by:jskfan
ID: 40466049
I agree..
I am trying to see when Switch Trunk interfaces are in different Native Vlans , whether the Hosts connected to those switches can ping each other.

in the topology above, I configured SW2 e0/0  connected to SW1 and e1/1 connected to SW4  both in Native Vlan 777

Now I cannot ping from R1 to R2 and back....
0
 
LVL 50

Expert Comment

by:Don Johnston
ID: 40466073
Well, it doesn't sound like you've got the trunks configured correctly.  The native VLAN should match on each end of the link.
0
 

Author Comment

by:jskfan
ID: 40469334
for Native VLAN 1 and Native VLAN 777 to talk to each other, do I need L3 device ?
0
 
LVL 50

Expert Comment

by:Don Johnston
ID: 40469454
trunksI think you're missing the concept of the native VLAN.

The native VLAN is the VLAN on a trunk that does not get tagged.   It only exists on a trunk between two switches (or a switch and a trunking capable device).

Best practice is to not have the native VLAN communicate with anything.

In the attached topology diagram, all inter-switch links are trunks.
0
 

Author Comment

by:jskfan
ID: 40469483
- In your Diagram above will R1 be able to ping R2 and vice-versa ?
- If R1 was in VLAN 777 and R2 in VLAN 55, will still be able to ping each other ?
0
 
LVL 50

Accepted Solution

by:
Don Johnston earned 2000 total points
ID: 40469502
- In your Diagram above will R1 be able to ping R2 and vice-versa ?
Yes
- If R1 was in VLAN 777 and R2 in VLAN 55, will still be able to ping each other ?
Of course not.  :-)
0
 

Author Closing Comment

by:jskfan
ID: 40484396
Thanks Don !
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Getting hacked is no longer a matter or "if you get hacked" — the 2016 cyber threat landscape is now titled "when you get hacked." When it happens — will you be proactive, or reactive?
Arrow Electronics was searching for a KVM  (Keyboard/Video/Mouse) switch that could display on one single monitor the current status of all units being tested on the rack.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Suggested Courses

777 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question