what are dummy vlans for like this 4094 ?
[FONT=Courier New][SIZE=2][COLOR=#7ca653]s3(config)#int gi0/23 s3(config-if)#switchport trunk encapsulation dot1q s3(config-if)#switchport trunk allowed vlan all s3(config-if)#switchport mode trunk s3(config-if)#switchport trunk native vlan 4094[/COLOR][/SIZE][/FONT]
the previous engineer did this on the trunk line that is connected to the
ASA 5510 which has only 1 connection to and has of course vlans that traverse it.
but what would you used this dummy vlan for?
Comments
-
SharkDiver Member Posts: 844The CCNA Security material tells you to make the native VLAN the number of an unused VLAN so that all frames are tagged going across the Dot1Q trunk. This is to help avoid VLAN hopping,
So it could be for security reasons. -
nel Member Posts: 2,859 ■□□□□□□□□□yeah, ive seen places change it from the default for security in a bank i worked in.Xbox Live: Bring It On
Bsc (hons) Network Computing - 1st Class
WIP: Msc advanced networking -
itdaddy Member Posts: 2,089 ■■■■□□□□□□what ccna security material did you read? haha I never read that unless i was sleeping
thanks very much...
interesting but sharkdriver yep that is what the description of it says all vlans are tagged it says.
thanks for the help
http://packetlife.net/blog/2010/feb/22/experimenting-vlan-hopping/
very cool article about the testing of this now I get it wow now I see thanks
Still, an engineer might wish to enable the vlan dot1q tag native feature on platforms which support it. This forces the tagging of all traffic traversing 802.1Q trunk links, including that belonging to the native VLAN. Note that it is important that this feature be enabled on both ends of a trunk.
just like you said sharkDriver you were dead on! wow thanks! -
SharkDiver Member Posts: 844itdaddy,
I read the Exam Cram book for the CCNA Security exam. They really only mentioned it one time on page 424, but for some reason it stuck with me.
I think either the Boson ExSim-Max or the Transcender practice exams had several questions about what to do to mitigate VLAN hopping, but I don't remember which. -
cisco_trooper Member Posts: 1,441 ■■■■□□□□□□Page 536 Implementing Cisco IOS Network Security (IINS): (CCNA Security exam 640-553) (Authorized Self-Study Guide) ISBN 1-58705-815-4