Options
Switch Security Question
gojericho0
Member Posts: 1,059 ■■■□□□□□□□
in CCNP
If all access-ports are off VLAN1, would that eliminate any security issue of having VLAN1 as the native vlan on a trunk link?
Comments
-
Optionsjoshgibson82 Member Posts: 80 ■■□□□□□□□□If all ports are on vlan 1, why do you need a trunk?Josh, CCNP CWNA
-
Optionskryolla Member Posts: 785what security issue are you trying to avoid?Studying for CCIE and drinking Home Brew
-
Optionsgojericho0 Member Posts: 1,059 ■■■□□□□□□□mainly vlan hopping, but i wasn't sure if leaving the native vlan as the default would cause any other vulnerabilities.
-
Optionskryolla Member Posts: 785check out Cisco SAFE
You can change all the access ports from the default vlan or just prune vlan1 from all your trunk links and you can use switchport host for all your access ports and turn off DTP. There are 2 ways of mitigating vlan hopping, make sure your access ports dont form a trunk and the data vlan is not the native vlan for trunk links or tagged links.
SAFE - Cisco SystemsStudying for CCIE and drinking Home Brew -
Optionsgojericho0 Member Posts: 1,059 ■■■□□□□□□□cools thanks,
neverheard of the switchport host to turn of DTP, but does switchport mode access do the same thing? -
Optionskryolla Member Posts: 785it puts the port in access mode, portfast, and disables channel group.Studying for CCIE and drinking Home Brew