what are dummy vlans for like this 4094 ?

itdaddyitdaddy Senior MemberMember Posts: 2,089 ■■■■□□□□□□
[FONT=Courier New][SIZE=2][COLOR=#7ca653]s3(config)#int gi0/23
s3(config-if)#switchport trunk encapsulation dot1q
s3(config-if)#switchport trunk allowed vlan all
s3(config-if)#switchport mode trunk
s3(config-if)#switchport trunk native vlan 4094[/COLOR][/SIZE][/FONT]


the previous engineer did this on the trunk line that is connected to the
ASA 5510 which has only 1 connection to and has of course vlans that traverse it.
but what would you used this dummy vlan for?icon_study.gif

Comments

  • SharkDiverSharkDiver Member Posts: 844
    The CCNA Security material tells you to make the native VLAN the number of an unused VLAN so that all frames are tagged going across the Dot1Q trunk. This is to help avoid VLAN hopping,

    So it could be for security reasons.
  • nelnel Member Posts: 2,859 ■□□□□□□□□□
    yeah, ive seen places change it from the default for security in a bank i worked in.
    Xbox Live: Bring It On

    Bsc (hons) Network Computing - 1st Class
    WIP: Msc advanced networking
  • itdaddyitdaddy Senior Member Member Posts: 2,089 ■■■■□□□□□□
    what ccna security material did you read? haha I never read that unless i was sleeping ;)
    thanks very much...
    interesting but sharkdriver yep that is what the description of it says all vlans are tagged it says.
    thanks for the help ;)

    http://packetlife.net/blog/2010/feb/22/experimenting-vlan-hopping/

    very cool article about the testing of this now I get it wow now I see thanks

    Still, an engineer might wish to enable the vlan dot1q tag native feature on platforms which support it. This forces the tagging of all traffic traversing 802.1Q trunk links, including that belonging to the native VLAN. Note that it is important that this feature be enabled on both ends of a trunk.


    just like you said sharkDriver you were dead on! wow thanks!
  • SharkDiverSharkDiver Member Posts: 844
    itdaddy,

    I read the Exam Cram book for the CCNA Security exam. They really only mentioned it one time on page 424, but for some reason it stuck with me.

    I think either the Boson ExSim-Max or the Transcender practice exams had several questions about what to do to mitigate VLAN hopping, but I don't remember which.
  • cisco_troopercisco_trooper Too many Member Posts: 1,442 ■■■■□□□□□□
    Page 536 Implementing Cisco IOS Network Security (IINS): (CCNA Security exam 640-553) (Authorized Self-Study Guide) ISBN 1-58705-815-4
Sign In or Register to comment.