802.1Q Native VLAN on Cisco IOS Switch

This topic is to discuss the following lesson:

1 Like

Is there any specific reason to tag the native vlan?

Is there any specific reason to tag the native vlan?

Hi Dan,

There is a security vulnerability (VLAN Hopping) when you don’t tag the native VLAN, that’s the only reason I can think of.

If you are interested, I can do a write up for VLAN hopping…might be interesting :slight_smile:

Rene

1 Like

Thanks for your answer Rene, of course it would be interesting to have the write up for VLAN hopping

Regards

Hi Dan,

I put it on my list, when it’s done I’ll let you know.

Rene

Hi René,

What is the difference between a native vlan and the default vlan ?
Are they the same ?

Thks,

Hi Prince,

On Cisco IOS, they are the same thing. VLAN 1 is the default VLAN and it’s also the native VLAN.

Rene

Hi Rene,

What is the benefit of changing native VLAN ? I mean what are the security reasons in detail ?
And what are the possible issues that occur because of NATIVE_VLAN_MISMATCH ?

Hi Hussein,

An attacker would probably start looking for VLAN 1 since it’s the default native VLAN. It’s used for management traffic so that makes it an interesting target. It’s best to use another VLAN number and to tag it for that reason.

Rene

Thanks Rene, I got the idea

What about second question ??

cheers.

Ah sorry forgot about that one. A VLAN mismatch is a bad thing…

For example, if VLAN 10 is native on SW1 and VLAN 1 is native on SW2 then traffic from VLAN 10 will “leak” into VLAN 1 (or vice versa). Make sure you always use the same native VLAN on both sides of the trunk.

2 Likes

Thanks Rene, No problem.

Is there an impact on the work of STP when the NATIVE_VLAN_MISMATCH ??

I haven’t tested it but probably the switch will report an error. PVST+ uses a bridge ID that includes the priority and vlan ID. I think STP will notice the mismatch of the VLAN ID.

1 Like

Dear René,

 

Couldyou please share the link about " vlan hopping " if it is alreday done

Thks a lot,

Prince

Hi Prince,

I’ll add it tomorrow, when it’s done I’ll post the link here.

Rene

Ok merci René

Prince

I just finished the VLAN hopping post:

https://networklessons.com/security/vlan-hopping/

The result is interesting, this doesn’t seem to work on modern IOS images anymore :slight_smile:

Hi Rene,

I have to thank you for the clear and simple way of explaining.

about the security behind changing the native vlan and tagging it, what is the point of this? because the attacker while having access to the native vlan (change it and tagging it or not) will be able to sniff the traffic with all the management protocols information.

 

 

1 Like

Hi Abdalrahman,

If an attacker had access to one of your switches then they probably would try to get access to the native vlan first. Since everyone knows that VLAN 1 is the default, that’s where they will probably start looking. Using another vlan number makes this a bit harder.

Still, once someone has physical access there’s a lot of bad stuff they can do…best to prevent this from happening in the first place :slight_smile:

Rene

1 Like