use other vlan to avoid double tagging?

poguy

use other vlan to avoid double tagging?
I don't get how using other native vlan can avoid double tagging.
is it because native vlan is always 1, so hacker can tag vlan 1 at the begining ?
doing this: switchport trunk native vlan 400, makes hacker harder to guess the native vlan number??

dynamik

No, they recommend creating a VLAN with no ports and assigning the native VLAN to that, so it never has to switch any user traffic.

keenon

you also should set the port mode as by default depending on the switch model its either desirable or auto.. either way it wants to be a trunk so setting it to access tells the switch port not to expect a tagged packet if it does it will drop it

bmwagner

in 802.1q the native vlan is not tagged.

Morty3

+1.

Native VLAN what VLAN the switch should see untagged frames as a member of. So, "normal frames" that pass a trunk are seen as a member of a VLAN aswell (duh), and because we dont like this from a security point of view, we create some random VLAN and tell the switch "untagged traffic is vlan 234". Then no untagged frames will be sent around, since there is no vlan 234 ports.

poguy

dynamik wrote: »

No, they recommend creating a VLAN with no ports and assigning the native VLAN to that, so it never has to switch any user traffic.

but even they switch the native vlan, the inner tag still visible and would switch the packet to the target vlan? isn't it??

thnak you

dynamik

The whole point of doing that is that no one would be using the native VLAN, so that wouldn't happen.