802.1Q Native VLAN on Cisco IOS Switch

(Rene Molenaar) #1

This topic is to discuss the following lesson:

(Dan B) #2

Is there any specific reason to tag the native vlan?

(Dan B) #3

Is there any specific reason to tag the native vlan?

(Rene Molenaar) #4

Hi Dan,

There is a security vulnerability (VLAN Hopping) when you don’t tag the native VLAN, that’s the only reason I can think of.

If you are interested, I can do a write up for VLAN hopping…might be interesting :slight_smile:

Rene

(Dan B) #5

Thanks for your answer Rene, of course it would be interesting to have the write up for VLAN hopping

Regards

(Rene Molenaar) #6

Hi Dan,

I put it on my list, when it’s done I’ll let you know.

Rene

(Prince) #7

Hi René,

What is the difference between a native vlan and the default vlan ?
Are they the same ?

Thks,

(Rene Molenaar) #8

Hi Prince,

On Cisco IOS, they are the same thing. VLAN 1 is the default VLAN and it’s also the native VLAN.

Rene

(Hussein Samir) #9

Hi Rene,

What is the benefit of changing native VLAN ? I mean what are the security reasons in detail ?
And what are the possible issues that occur because of NATIVE_VLAN_MISMATCH ?

(Rene Molenaar) #10

Hi Hussein,

An attacker would probably start looking for VLAN 1 since it’s the default native VLAN. It’s used for management traffic so that makes it an interesting target. It’s best to use another VLAN number and to tag it for that reason.

Rene

(Hussein Samir) #11

Thanks Rene, I got the idea

What about second question ??

cheers.

(Rene Molenaar) #12

Ah sorry forgot about that one. A VLAN mismatch is a bad thing…

For example, if VLAN 10 is native on SW1 and VLAN 1 is native on SW2 then traffic from VLAN 10 will “leak” into VLAN 1 (or vice versa). Make sure you always use the same native VLAN on both sides of the trunk.

(Hussein Samir) #13

Thanks Rene, No problem.

Is there an impact on the work of STP when the NATIVE_VLAN_MISMATCH ??

(Rene Molenaar) #14

I haven’t tested it but probably the switch will report an error. PVST+ uses a bridge ID that includes the priority and vlan ID. I think STP will notice the mismatch of the VLAN ID.

(Prince) #15

Dear René,

 

Couldyou please share the link about " vlan hopping " if it is alreday done

Thks a lot,

Prince

(Rene Molenaar) #16

Hi Prince,

I’ll add it tomorrow, when it’s done I’ll post the link here.

Rene

(Prince) #17

Ok merci René

Prince

(Rene Molenaar) #18

I just finished the VLAN hopping post:

The result is interesting, this doesn’t seem to work on modern IOS images anymore :slight_smile:

(Abdalrahman N) #19

Hi Rene,

I have to thank you for the clear and simple way of explaining.

about the security behind changing the native vlan and tagging it, what is the point of this? because the attacker while having access to the native vlan (change it and tagging it or not) will be able to sniff the traffic with all the management protocols information.

 

 

(Rene Molenaar) #20

Hi Abdalrahman,

If an attacker had access to one of your switches then they probably would try to get access to the native vlan first. Since everyone knows that VLAN 1 is the default, that’s where they will probably start looking. Using another vlan number makes this a bit harder.

Still, once someone has physical access there’s a lot of bad stuff they can do…best to prevent this from happening in the first place :slight_smile:

Rene