Native vlan is management vlan?

Hi CCIEs,

I have a question. Sorry to bug you but I feel this is wrong and a security hole possiblity.

Can you make your network management or is it safe to make your network management vlan say vlan 999 is network management vlan, is it secure to make this your native vlan as well

so native vlan is 999 and network management vlan is 999 is this safe?

Find more posts tagged with

Comments

mistabrumley89

It is not "safe", and it is a security issue.

Bardlebee

From my experience. You don't want to put anything in the native vlan as its essentially accessible on a new switch build. Imagine connecting your access switch to an aggregate switch, all ports will be in an access mode native vlan 1. Even if you were to change your native vlan on other connected switches, you'd end up having native vlan bleeding anyway, leading to the same problem.

Its been my experience that everything gets a vlan and thus native vlan is never used as it is A) A security threat to have multiple layer 3 networks in the same vlan which by proxy just connecting two servers in different networks to default set ports will get you there. So this is the same for your switch management. But I think most importantly

a mgmt network in a native vlan could lead to large broadcast domains, given the large enough deployment. Of course, this is in the traditional deployment of the Cisco tree of edge/core/aggr/access. In spine leaf I guess we don't have to worry about it.

Long answer to say that, from my experience, everything gets its own non-native vlan. Leave native vlan for control plane stuff as its used for like BPDU's etc.

EDIT: Depending on the vendor A) can be a problem, but a lot of vendors don't automatically enable ports into access or anything. Just a thought.

is what I think could be an issue but in the end the answer is the same.

Dieg0M

Usually Native VLAN is a security risk due to VLAN hopping. This kind of attack is not really effective against modern switches and there are several ways to prevent it. You can check one of Jeremy's blog on this: Experimenting with VLAN hopping - PacketLife.net. I wouldn't be too worried about it as a security risk.

itdaddy

native vlan 999 was created for management but is also define as native vlan. I thought it was good to change the native vlan to 999 for allowing untagged traffic to be sectioned off that is what I have been taught but I just got this new job and this network engineer uses Native 999 not only as defined as the new native vlan but he uses it as NetworkManagement vlan? I was like huh? the same traffic untagged ride on he alllowed network management on? I was like wtheck? so guys not native vlan 1 but a new created native vlan 999 used also for network management so used forboth on the the switches for example he creates Vlan 999 as network management but says on the port allow native vlan 999...and at first glance i was freaking out. so you guys think this is okay Dieg0M? funny how this guy does this when I feel networkengineers inpast have been taught the opposite and he is a CCIE VOICE guy who established this?

Bardlebee

With my limited experience, I feel like the whole native vlan usage with management is just an opinion thing. Maybe there are more negatives then its worth, but for me I use a separate vlan for everything. The Native vlan to me is strictly for control plane traffic. Comes down to preference for me. Never looked super deep into the implications, because I don't know that they go that deep to be an issue.

I mean, I think I separate management out to its own vlan mainly because there is nothing to lose and possibly something to lose by putting it into the native, so I guess that's how I sort that logic.

OctalDump

Yeah, this is one of the annoying things about the way Cisco teaches networking. The management Vlan and the native vlan should definitely be separate, and they will tell you this, but then in 99% of their examples and lab exercises they will just leave them the same. Ideally, the native Vlan should be non routable (or unrouted) but they usually don't bother.

The problem is that the native VLAN is like the 'default', so it's very easy for a port to accidentally be on the native VLAN. So if you haven't secured the VLAN, then it can lead interesting and unexpected places. If you have the management VLAN and native VLAN, then it is likely that somewhere in a reasonable sized network will accidentally give access to your management VLAN. Oops.

theodoxa

Yeah, this is one of the annoying things about the way Cisco teaches networking. The management Vlan and the native vlan should definitely be separate, and they will tell you this, but then in 99% of their examples and lab exercises they will just leave them the same. Ideally, the native Vlan should be non routable (or unrouted) but they usually don't bother.

Nexus switches go a step further and place the management interface in its own VRF instance.