Switch Security Question

gojericho0gojericho0 Member Posts: 1,059 ■■■□□□□□□□
in CCNP
If all access-ports are off VLAN1, would that eliminate any security issue of having VLAN1 as the native vlan on a trunk link?
· Share on FacebookShare on Twitter

Comments

  • joshgibson82joshgibson82 Member Posts: 80 ■■□□□□□□□□
    If all ports are on vlan 1, why do you need a trunk?
    Josh, CCNP CWNA
    · Share on FacebookShare on Twitter
  • gojericho0gojericho0 Member Posts: 1,059 ■■■□□□□□□□
    i'm sorry type-o all access ports are off vlan 1
    · Share on FacebookShare on Twitter
  • kryollakryolla Member Posts: 785
    what security issue are you trying to avoid?
    Studying for CCIE and drinking Home Brew
    · Share on FacebookShare on Twitter
  • gojericho0gojericho0 Member Posts: 1,059 ■■■□□□□□□□
    mainly vlan hopping, but i wasn't sure if leaving the native vlan as the default would cause any other vulnerabilities.
    · Share on FacebookShare on Twitter
  • kryollakryolla Member Posts: 785
    check out Cisco SAFE

    You can change all the access ports from the default vlan or just prune vlan1 from all your trunk links and you can use switchport host for all your access ports and turn off DTP. There are 2 ways of mitigating vlan hopping, make sure your access ports dont form a trunk and the data vlan is not the native vlan for trunk links or tagged links.

    SAFE - Cisco Systems
    Studying for CCIE and drinking Home Brew
    · Share on FacebookShare on Twitter
  • gojericho0gojericho0 Member Posts: 1,059 ■■■□□□□□□□
    cools thanks,

    neverheard of the switchport host to turn of DTP, but does switchport mode access do the same thing?
    · Share on FacebookShare on Twitter
  • kryollakryolla Member Posts: 785
    it puts the port in access mode, portfast, and disables channel group.
    Studying for CCIE and drinking Home Brew
    · Share on FacebookShare on Twitter
Sign In or Register to comment.