Thoughts on using the Native vLAN for Management

AutoBahn81AutoBahn81 Member Posts: 22 ■□□□□□□□□□
in CCNP
I was just wondering what your thoughts were on using the Native vLAN for the management network. The campus I'm responsible for right now is set up to do so.

*Insert "This was done before I got here excuse" here*

:)

We have 428 devices all using a /23 for management. I'd appreciate any thoughts/advice you have relating to ANYTHING from QoS to Security to common sense. Thanks in advance!
BIT - Network Administration
MBA - IT Management
· Share on FacebookShare on Twitter

Comments

  • cisco_troopercisco_trooper Member Posts: 1,441 ■■■■□□□□□□
    I don't even use a native VLAN. You can set dot1q to tag the native VLAN, which I think may even be recommended to help mitigate the whole VLAN hopping vulnerability. In addition, since I'm not sure about your set up, I don't use VLAN 1 either.

    VLAN Security White Paper [Cisco Catalyst 6500 Series Switches] - Cisco Systems
    · Share on FacebookShare on Twitter
  • APAAPA Member Posts: 959
    cisco_trooper wrote: »
    I don't even use a native VLAN. You can set dot1q to tag the native VLAN, which I think may even be recommended to help mitigate the whole VLAN hopping vulnerability. In addition, since I'm not sure about your set up, I don't use VLAN 1 either.

    VLAN Security White Paper [Cisco Catalyst 6500 Series Switches] - Cisco Systems


    just because you are tagging the native vlan doesn't mean you aren't using a native vlan... remember that :)

    dot1q trunks must agree on a native vlan to form correctly.... the native vlan defines what traffic the cdp, pagp,stp traffic traverses over..... usually vlan1 but this can be changed.....

    You should move your SVI management traffic off vlan 1 and onto a seperate vlan. If you're leaving vlan 1 untagged and as the native vlan for trunks then you should consider ensuring that you enabled trunk security on switchports where users have the ability to negotiate a trunk....
    CCNA | CCNA:Security | CCNP | CCIP
    JNCIA:JUNOS | JNCIA:EX | JNCIS:ENT | JNCIS:SEC
    JNCIS:SP | JNCIP:SP
    · Share on FacebookShare on Twitter
  • EdTheLadEdTheLad Member Posts: 2,111 ■■■■□□□□□□
    A.P.A wrote: »
    j

    dot1q trunks must agree on a native vlan to form correctly.... the native vlan defines what traffic the cdp, pagp,stp traffic traverses over..... usually vlan1 but this can be changed.....

    Not true, these protocols work on vlan 1, if vlan 1 is native they are untagged, if another vlan is native these protocols get tagged with vlan 1.
    Networking, sometimes i love it, mostly i hate it.Its all about the $$$$
    · Share on FacebookShare on Twitter
  • AutoBahn81AutoBahn81 Member Posts: 22 ■□□□□□□□□□
    I am not using vlan 1 for anything. In fact it is shut on every device in the campus. I shoulda said that in the beggining...my bad.
    BIT - Network Administration
    MBA - IT Management
    · Share on FacebookShare on Twitter
  • APAAPA Member Posts: 959
    EdTheLad wrote: »
    Not true, these protocols work on vlan 1, if vlan 1 is native they are untagged, if another vlan is native these protocols get tagged with vlan 1.

    Yeah I had a look at your captures in the CCIE forum.... It contradicts what the BCMSN study guide states.... quite interesting to see that they are either untagged or tagged depending on whether you are using the default native vlan or change the native vlan.

    I was sure the BCMSN guide said the management traffic will always travel over the configured native vlan. Your captures obviously prove that incorrect :)

    Cheers for the capture info by the way! :)
    CCNA | CCNA:Security | CCNP | CCIP
    JNCIA:JUNOS | JNCIA:EX | JNCIS:ENT | JNCIS:SEC
    JNCIS:SP | JNCIP:SP
    · Share on FacebookShare on Twitter
  • Sanis4lifeSanis4life Banned Posts: 60 ■■□□□□□□□□
    A.P.A wrote: »
    Yeah I had a look at your captures in the CCIE forum.... It contradicts what the BCMSN study guide states.... quite interesting to see that they are either untagged or tagged depending on whether you are using the default native vlan or change the native vlan.

    I was sure the BCMSN guide said the management traffic will always travel over the configured native vlan. Your captures obviously prove that incorrect :)

    Cheers for the capture info by the way! :)

    Do you have the link to his capture/post?

    Thanks!
    · Share on FacebookShare on Twitter
  • kryollakryolla Member Posts: 785
    Have you ever wondered why you cant delete vlan 1
    Studying for CCIE and drinking Home Brew
    · Share on FacebookShare on Twitter
  • redwarriorredwarrior Member Posts: 285
    This is definitely good proof for why you shouldn't put anything else on vlan 1...would you really want a client device able to do a capture and see all this?
    CCNP Progress

    ONT, ISCW, BCMSN - DONE

    BSCI - In Progress

    http://www.redwarriornet.com/ <--My Cisco Blog
    · Share on FacebookShare on Twitter
Sign In or Register to comment.