Native VLAN:- Features And Configuration
In This section we will try to cover the following questions
- What is native VLAN?
- Difference b\w vlan and native vlan ?
- What are the features of native vlan?
- How to configure a native vlan?
- What is the best practice of configuring a native vlan?
- How to troubleshoot it.
If multiple switches with multiple VLANs are connected with each other then the traffic /packets Coming form switch having multiple vlan is tagged with the vlan id. but if we take a scenario in which a switch receive a packet which is not tagged, then the received packet forwarded to native vlan, which means the Native vlan is the vlan to which any untagged traffic is assigned. This default behavior can be changed by configuring the switch to tag native VLAN frames .
Features of Native VLAN:
- Default native VLAN is VLAN1
- And it is not recommended to use vlan 1 as a Native VLAN
- Because, If a packet is received on a dot1q link. which is not tagged. It is assumed to belongs to Native VLAN and forwarded into that vlan.
- so creating any vlan and assigning it as a native vlan, enhance the security in network by avoiding vlan hopping.
- By default connection between the switches formed with 802.1q or dot1q/isl trunking protocol so if
- Any traffic come from vlan 10 and transfer to another switch bia trunk link ,before sending the packet to trunk link a tag is added which is called frame tagging.
- b/w switch to switch This method insure that which packet belong to which vlan. And hence forward the packet to port belong to that vlan.
- But if a switch receive a frame from hub, which don’t understand the concept of vlan, hence send the packet without a tag
- So if a switch receive a frame without a tag, it is assume to belong to native vlan and hence forward it to a port belong to native vlan.
Hub don't understand then concept of vlan, so did not tag a packet while forwarding |
Best Practice to configure a Native vlan:-
The best way to configure the native vlan is to create any vlan and assign it as native vlan and ensure to not have any port in that vlan, So If any attacker want to use vlan hopping attack will reach to vlan with no port ,no host.
Configuration
Sw(config)#vlan 111.......................................................create vlan 111
Sw(config)#in fa <port-id>..............................................choose a port i.e
Sw(config)#in fa 0/1
Sw(config)#in fa 0/1
Sw(config-if)#switchport trunk encapsulation dot1q.......encapsulation type (dot1q/isl)
Sw(config-if)#switchport mode trunk..............................to create a trunk link
Sw(config-if)#switchport trunk native vlan 111...............vlan 111 as a native vlan
Verification
Sw# show int fa 0/0 switch port.... To give the complete information about port fa 0/0
Sw# show int trunk
Port mode Encapsulation status native Vlan
Fa 0/0 on 802.1q trunking 111
No comments:
Post a Comment