use other vlan to avoid double tagging?

poguypoguy Member Posts: 91 ■■□□□□□□□□
use other vlan to avoid double tagging?
I don't get how using other native vlan can avoid double tagging.
is it because native vlan is always 1, so hacker can tag vlan 1 at the begining ?
doing this: switchport trunk native vlan 400, makes hacker harder to guess the native vlan number??

Comments

  • dynamikdynamik Banned Posts: 12,312 ■■■■■■■■■□
    No, they recommend creating a VLAN with no ports and assigning the native VLAN to that, so it never has to switch any user traffic.
  • keenonkeenon Member Posts: 1,922 ■■■■□□□□□□
    you also should set the port mode as by default depending on the switch model its either desirable or auto.. either way it wants to be a trunk so setting it to access tells the switch port not to expect a tagged packet if it does it will drop it
    Become the stainless steel sharp knife in a drawer full of rusty spoons
  • bmwagnerbmwagner Member Posts: 15 ■□□□□□□□□□
    in 802.1q the native vlan is not tagged.
  • Morty3Morty3 Member Posts: 139
    +1.

    Native VLAN what VLAN the switch should see untagged frames as a member of. So, "normal frames" that pass a trunk are seen as a member of a VLAN aswell (duh), and because we dont like this from a security point of view, we create some random VLAN and tell the switch "untagged traffic is vlan 234". Then no untagged frames will be sent around, since there is no vlan 234 ports.
    CCNA, CCNA:Sec, Net+, Sonicwall Admin (fwiw). Constantly getting into new stuff.
  • poguypoguy Member Posts: 91 ■■□□□□□□□□
    dynamik wrote: »
    No, they recommend creating a VLAN with no ports and assigning the native VLAN to that, so it never has to switch any user traffic.

    but even they switch the native vlan, the inner tag still visible and would switch the packet to the target vlan? isn't it??

    thnak you
  • dynamikdynamik Banned Posts: 12,312 ■■■■■■■■■□
    The whole point of doing that is that no one would be using the native VLAN, so that wouldn't happen.
Sign In or Register to comment.