the logic behind native VLAN
based on haseeb,Leon van Dongen,Pete Templin,tool shed ,milo_az ,and jitendra's discussion at routerie.com
What is native vlan and what is the purpose and why do we need it?
1.VLAN 1 is the native VLAN by default
2.All ports belong to VLAN 1 by default
3.If the native VLAN is changed from the default, the same should be done on all switches
In case of trunk failure/misconfiguration ports belonging to the same [native] VLAN can communicate with each other because they share the same VLAN ID.
If switch1 thinks VLAN1 is native and switch2 thinks VLAN2 is native, neither VLAN will actually properly pass between switches, and Bad Things will happen.
4.There are two trunking formats,Cisco's ISL (Inter-Switch Link) and IEEEs 802.1Q.
ISL encapsulates frames into a new header.
802.1Q tags frames adding both 802.1Q and 802.1P to the frame header.
5.only 8021q uses tagging
Frames that where originated at the native VLAN traverse 802.1Q trunks without being tagged.
Native vlans are used for untagged traffic. And the packets are NOT modified {dot1q specific}.
It's just the way 802.1Q implemented it. You can always have one VLAN not tagged, if you receive traffic in a trunk that's not tagged you know which VLAN it is.
6.it's mainly for security reasons.
We use a vlan on our trunks that are for that purpose only (native vlan for trunks). No clients, devices or layer 3. If for some reason a device transmits or a spoofed packet is sent that is not tagged, it's basically puts it into a vlan that doesn't go anywhere.
I could have sworn that only one of the two technologies actually sent the frames untagged, but again I need to study.
good network design:
1: Never use VLAN 1; leave it alone for L2 management internals.
2: Set an unused VLAN as your native VLAN, so untagged packets are "in jail".
3: Might also want to set a default access VLAN, so ports not actually assigned to a production VLAN are in a separate "jail".
One prime function of native VLAN can be used in Vlan hopping where the attacker injects traffic to another vlan and there by negotiating its port to become trunk( obviously talking DTP with the switch)
or crafting double tagged frames (externally taged with vlan id of where a traunk natively belongs to).The first case i would say is bi-directional communication and second one is uni-directional communication.The best solution to above problems i would say
a) disable DTP or only enable where necessary.
b) use of an exclusive native vlan for eack trunk
What is native vlan and what is the purpose and why do we need it?
1.VLAN 1 is the native VLAN by default
2.All ports belong to VLAN 1 by default
3.If the native VLAN is changed from the default, the same should be done on all switches
In case of trunk failure/misconfiguration ports belonging to the same [native] VLAN can communicate with each other because they share the same VLAN ID.
If switch1 thinks VLAN1 is native and switch2 thinks VLAN2 is native, neither VLAN will actually properly pass between switches, and Bad Things will happen.
4.There are two trunking formats,Cisco's ISL (Inter-Switch Link) and IEEEs 802.1Q.
ISL encapsulates frames into a new header.
802.1Q tags frames adding both 802.1Q and 802.1P to the frame header.
5.only 8021q uses tagging
Frames that where originated at the native VLAN traverse 802.1Q trunks without being tagged.
Native vlans are used for untagged traffic. And the packets are NOT modified {dot1q specific}.
It's just the way 802.1Q implemented it. You can always have one VLAN not tagged, if you receive traffic in a trunk that's not tagged you know which VLAN it is.
6.it's mainly for security reasons.
We use a vlan on our trunks that are for that purpose only (native vlan for trunks). No clients, devices or layer 3. If for some reason a device transmits or a spoofed packet is sent that is not tagged, it's basically puts it into a vlan that doesn't go anywhere.
I could have sworn that only one of the two technologies actually sent the frames untagged, but again I need to study.
good network design:
1: Never use VLAN 1; leave it alone for L2 management internals.
2: Set an unused VLAN as your native VLAN, so untagged packets are "in jail".
3: Might also want to set a default access VLAN, so ports not actually assigned to a production VLAN are in a separate "jail".
One prime function of native VLAN can be used in Vlan hopping where the attacker injects traffic to another vlan and there by negotiating its port to become trunk( obviously talking DTP with the switch)
or crafting double tagged frames (externally taged with vlan id of where a traunk natively belongs to).The first case i would say is bi-directional communication and second one is uni-directional communication.The best solution to above problems i would say
a) disable DTP or only enable where necessary.
b) use of an exclusive native vlan for eack trunk
posted by Jun Wen at 9:01 PM
0 Comments:
Post a Comment
<< Home