Thoughts on using the Native vLAN for Management

AutoBahn81AutoBahn81 Member Posts: 22 ■□□□□□□□□□
I was just wondering what your thoughts were on using the Native vLAN for the management network. The campus I'm responsible for right now is set up to do so.

*Insert "This was done before I got here excuse" here*

:)

We have 428 devices all using a /23 for management. I'd appreciate any thoughts/advice you have relating to ANYTHING from QoS to Security to common sense. Thanks in advance!
BIT - Network Administration
MBA - IT Management

Comments

  • cisco_troopercisco_trooper Too many Member Posts: 1,442 ■■■■□□□□□□
    I don't even use a native VLAN. You can set dot1q to tag the native VLAN, which I think may even be recommended to help mitigate the whole VLAN hopping vulnerability. In addition, since I'm not sure about your set up, I don't use VLAN 1 either.

    VLAN Security White Paper [Cisco Catalyst 6500 Series Switches] - Cisco Systems
  • APAAPA Member Posts: 959
    I don't even use a native VLAN. You can set dot1q to tag the native VLAN, which I think may even be recommended to help mitigate the whole VLAN hopping vulnerability. In addition, since I'm not sure about your set up, I don't use VLAN 1 either.

    VLAN Security White Paper [Cisco Catalyst 6500 Series Switches] - Cisco Systems


    just because you are tagging the native vlan doesn't mean you aren't using a native vlan... remember that :)

    dot1q trunks must agree on a native vlan to form correctly.... the native vlan defines what traffic the cdp, pagp,stp traffic traverses over..... usually vlan1 but this can be changed.....

    You should move your SVI management traffic off vlan 1 and onto a seperate vlan. If you're leaving vlan 1 untagged and as the native vlan for trunks then you should consider ensuring that you enabled trunk security on switchports where users have the ability to negotiate a trunk....

    CCNA | CCNA:Security | CCNP | CCIP
    JNCIA:JUNOS | JNCIA:EX | JNCIS:ENT | JNCIS:SEC
    JNCIS:SP | JNCIP:SP
  • EdTheLadEdTheLad Member Posts: 2,111 ■■■■□□□□□□
    A.P.A wrote: »
    j

    dot1q trunks must agree on a native vlan to form correctly.... the native vlan defines what traffic the cdp, pagp,stp traffic traverses over..... usually vlan1 but this can be changed.....

    Not true, these protocols work on vlan 1, if vlan 1 is native they are untagged, if another vlan is native these protocols get tagged with vlan 1.
    Networking, sometimes i love it, mostly i hate it.Its all about the $$$$
  • AutoBahn81AutoBahn81 Member Posts: 22 ■□□□□□□□□□
    I am not using vlan 1 for anything. In fact it is shut on every device in the campus. I shoulda said that in the beggining...my bad.
    BIT - Network Administration
    MBA - IT Management
  • APAAPA Member Posts: 959
    EdTheLad wrote: »
    Not true, these protocols work on vlan 1, if vlan 1 is native they are untagged, if another vlan is native these protocols get tagged with vlan 1.

    Yeah I had a look at your captures in the CCIE forum.... It contradicts what the BCMSN study guide states.... quite interesting to see that they are either untagged or tagged depending on whether you are using the default native vlan or change the native vlan.

    I was sure the BCMSN guide said the management traffic will always travel over the configured native vlan. Your captures obviously prove that incorrect :)

    Cheers for the capture info by the way! :)

    CCNA | CCNA:Security | CCNP | CCIP
    JNCIA:JUNOS | JNCIA:EX | JNCIS:ENT | JNCIS:SEC
    JNCIS:SP | JNCIP:SP
  • Sanis4lifeSanis4life Banned Posts: 60 ■■□□□□□□□□
    A.P.A wrote: »
    Yeah I had a look at your captures in the CCIE forum.... It contradicts what the BCMSN study guide states.... quite interesting to see that they are either untagged or tagged depending on whether you are using the default native vlan or change the native vlan.

    I was sure the BCMSN guide said the management traffic will always travel over the configured native vlan. Your captures obviously prove that incorrect :)

    Cheers for the capture info by the way! :)

    Do you have the link to his capture/post?

    Thanks!
  • kryollakryolla Member Posts: 785
    Have you ever wondered why you cant delete vlan 1
    Studying for CCIE and drinking Home Brew
  • redwarriorredwarrior Member Posts: 285
    This is definitely good proof for why you shouldn't put anything else on vlan 1...would you really want a client device able to do a capture and see all this?

    CCNP Progress

    ONT, ISCW, BCMSN - DONE

    BSCI - In Progress

    http://www.redwarriornet.com/ <--My Cisco Blog
Sign In or Register to comment.