802.1Q Native VLAN on Cisco IOS Switch

ReneMolenaar · December 26, 2016, 10:29pm

This topic is to discuss the following lesson:

danobustos1 · March 16, 2015, 12:43am

Is there any specific reason to tag the native vlan?

danobustos1 · March 16, 2015, 12:43am

Is there any specific reason to tag the native vlan?

ReneMolenaar · March 16, 2015, 10:21am

Hi Dan,

There is a security vulnerability (VLAN Hopping) when you don’t tag the native VLAN, that’s the only reason I can think of.

If you are interested, I can do a write up for VLAN hopping…might be interesting

Rene

danobustos1 · May 17, 2015, 11:38pm

Thanks for your answer Rene, of course it would be interesting to have the write up for VLAN hopping

Regards

ReneMolenaar · May 18, 2015, 11:43am

Hi Dan,

I put it on my list, when it’s done I’ll let you know.

Rene

aelwahid · June 4, 2015, 9:05am

Hi René,

What is the difference between a native vlan and the default vlan ?
Are they the same ?

Thks,

ReneMolenaar · June 4, 2015, 10:49am

Hi Prince,

On Cisco IOS, they are the same thing. VLAN 1 is the default VLAN and it’s also the native VLAN.

Rene

hussien.samer · July 27, 2015, 1:00pm

Hi Rene,

What is the benefit of changing native VLAN ? I mean what are the security reasons in detail ?
And what are the possible issues that occur because of NATIVE_VLAN_MISMATCH ?

ReneMolenaar · July 27, 2015, 1:49pm

Hi Hussein,

An attacker would probably start looking for VLAN 1 since it’s the default native VLAN. It’s used for management traffic so that makes it an interesting target. It’s best to use another VLAN number and to tag it for that reason.

Rene

hussien.samer · July 27, 2015, 7:00pm

Thanks Rene, I got the idea

What about second question ??

cheers.

ReneMolenaar · July 27, 2015, 7:47pm

Ah sorry forgot about that one. A VLAN mismatch is a bad thing…

For example, if VLAN 10 is native on SW1 and VLAN 1 is native on SW2 then traffic from VLAN 10 will “leak” into VLAN 1 (or vice versa). Make sure you always use the same native VLAN on both sides of the trunk.

hussien.samer · July 27, 2015, 8:13pm

Thanks Rene, No problem.

Is there an impact on the work of STP when the NATIVE_VLAN_MISMATCH ??

ReneMolenaar · July 27, 2015, 9:16pm

I haven’t tested it but probably the switch will report an error. PVST+ uses a bridge ID that includes the priority and vlan ID. I think STP will notice the mismatch of the VLAN ID.

aelwahid · October 6, 2015, 6:18pm

Dear René,

Couldyou please share the link about " vlan hopping " if it is alreday done

Thks a lot,

Prince

ReneMolenaar · October 6, 2015, 7:58pm

Hi Prince,

I’ll add it tomorrow, when it’s done I’ll post the link here.

Rene

aelwahid · October 7, 2015, 1:31pm

Ok merci René

Prince

ReneMolenaar · October 8, 2015, 12:44pm

I just finished the VLAN hopping post:

https://networklessons.com/security/vlan-hopping/

The result is interesting, this doesn’t seem to work on modern IOS images anymore

abdohammar · November 22, 2015, 10:16pm

Hi Rene,

I have to thank you for the clear and simple way of explaining.

about the security behind changing the native vlan and tagging it, what is the point of this? because the attacker while having access to the native vlan (change it and tagging it or not) will be able to sniff the traffic with all the management protocols information.

ReneMolenaar · November 23, 2015, 12:02pm

Hi Abdalrahman,

If an attacker had access to one of your switches then they probably would try to get access to the native vlan first. Since everyone knows that VLAN 1 is the default, that’s where they will probably start looking. Using another vlan number makes this a bit harder.

Still, once someone has physical access there’s a lot of bad stuff they can do…best to prevent this from happening in the first place

Rene