Re: Why natvie vlan ?

From: Dwi C Taniel (dc@dwichandra.info)
Date: Fri Feb 23 2007 - 00:01:02 ART

• Next message: Darrin K. Pierce: "RE: I.E. Lab 16 IPv6 (7.4)"
• Previous message: Dwi C Taniel: "Re: Same CCIE Lab twice"
• Maybe in reply to: Andreson Chris: "Why natvie vlan ?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Hi Andreson,

Yes, you can assign another VLAN as the native VLAN.
Bear in mind that amongst those interconnected switches to have the
same native VLAN in order to pass the VTP messages.

In my past experience, I *MUST* change the native VLAN to another vlan
number for security reasons (this is also found in several website
references, including Cisco).

Why do we have to change native VLAN from VLAN1 to secure the network?
(or: "Why do we have to change native VLAN from VLAN1 to reduce
network security exposure?", to be precise)
This is mainly to reduce the possibility of one alien plugging into
your network with VLAN-capable network card (be it dot1q or ISL
encapsulation like Intel NIC).
Thus, by using other than VLAN1 as native vlan, the 'alien' must put
extra effort to find out what is the native VLAN.

Additionally, put also BPDU guard and force access port not to change
into trunk ports.

The way I secure various networks (with limited to none network
security knowledge in the past) was: make the entity that would like
to break your network give up because too many efforts is in place. It
turned out that those simple 'tricks' already exhausts them and they
hike off ;)

Hope it helps.

DC

========
http://www.dwichandra.info
dc@dwichandra.info
--------
visit Transformers movie link at http://www.dwichandra.info/transformers
--------

On 02/23/2007, Andreson Chris <cciestudy@hkbsd.com> wrote:

> Hi Loizos,
>
> Actually I have manually shutdown the VLAN1. And i am feel
> confused about the native vlan. As i know, native vlan for exchange vtp
> in case we peering with other vendor switch (say nortel). but i just
> wonder in case i am peering both cisco switch. should i assign an other
> vlan as native vlan ? And also when i shutdown both switch vlan1.
> which vlan will used to exchange the vtp information other than native
> vlan.
>
> Rgds
> Chris.
>
> ----- Original Message ----- From: "Lou Ioanni" <louisccie_r_s@yahoo.com>
> To: "Andreson Chris" <cciestudy@hkbsd.com>; <ccielab@groupstudy.com>
> Sent: Friday, February 23, 2007 2:22 AM
> Subject: Re: Why natvie vlan ?
>
>
>> Chris,
>>
>> Is it a Layer 2 switch? Are you trying to create more than one
>> interface vlans? If yes, try to shut down the other inetrface vlan
>> and see if vlan 1 will come up (I assume you woking in a lab and
>> not in production environment). Can you post your config here?
>>
>> Thanks,
>>
>> Loizos Y.
>> CCIE#10702 R & S
>>
>> Andreson Chris <cciestudy@hkbsd.com> wrote:
>> Hi Loizos,
>>
>> Both are 3550 cisco switch.
>>
>> Rgds
>> Chris
>>
>> ----- Original Message ----- From: "Lou Ioanni"
>> To: "Andreson Chris" ;
>> Sent: Friday, February 23, 2007 2:03 AM
>> Subject: Re: Why natvie vlan ?
>>
>>
>>> What kind of switches? Some models (L2...ex 3548XL) allow you to only have
>>> one interface vlan command. If you try for example to configure "interface
>>> vlan 10" then it will shut down the interface vlan 1 automatically.
>>>
>>> Thanks,
>>>
>>> Loizos Y.
>>> CCIE#10702 R & S
>>>
>>> Andreson Chris wrote:
>>> Hi GS,
>>>
>>> Sorry for my stupid question. I just want to know if 2 switchs are
>>> connected via trunk on ethernet channel. Both vlan1 are shutting down.
>>> Should i assign an other vlan for native lan ? What is the base line to
>>> assign natvie vlan between 2 switch? (BTW both are cisco switch).
>>>
>>> Thanks.
>>>
>>> Rgds
>>> Chris.
>>>
>>> _______________________________________________________________________
>>> Subscription information may be found at:
>>> http://www.groupstudy.com/list/CCIELab.html
>>>
>>>
>>>
>>> ---------------------------------
>>> Bored stiff? Loosen up...
>>> Download and play hundreds of games for free on Yahoo! Games.
>>>
>>> _______________________________________________________________________
>>> Subscription information may be found at:
>>> http://www.groupstudy.com/list/CCIELab.html
>>
>> _______________________________________________________________________
>> Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html
>>
>>
>>
>> ---------------------------------
>> No need to miss a message. Get email on-the-go
>> with Yahoo! Mail for Mobile. Get started.
>>
>> _______________________________________________________________________
>> Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.

• Next message: Darrin K. Pierce: "RE: I.E. Lab 16 IPv6 (7.4)"
• Previous message: Dwi C Taniel: "Re: Same CCIE Lab twice"
• Maybe in reply to: Andreson Chris: "Why natvie vlan ?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Thu Mar 01 2007 - 07:38:47 ART