Wired Intelligent Edge

 View Only

  • 1.  Tagged Native VLAN on a CX Switch

    Posted Jun 30, 2023 03:20 PM

    I am trying to determine which of the configurations would be best from a security standpoint:

    Option 1

    interface 1/1/1
        no shutdown
        vlan trunk native 1
        vlan trunk allowed 72,80-85
        exit

    Option 2

    interface 1/1/1
        no shutdown
        vlan trunk native 72 tag
        vlan trunk allowed 72,80-85
        exit

    From my Cisco days, I was always advised to disable VLAN 1 and create another VLAN. With the AOS switch series you have the option of not having untagged ports on a trunk, but with the CX line, a trunk/lag must have a native VLAN. So if I don't want the untagged traffic hopping on the trunk/lag, is Option B the better one since it would be dropped (to my understanding)?

    I am open to all suggestions and other possible options... and maybe I am out in left field on this one, hence the reason for posting.

    Thanks in advance!

    Ref: vlan trunk native tag

    Arubanetworks remove preview
    vlan trunk native tag
    vlan trunk native tag no vlan trunk native tag Description Enables tagging on a native VLAN. Only incoming packets that are tagged with the matching VLAN ID are accepted. Incoming packets that are untagged are dropped except for BPDUs. Egress packets are tagged. The no form of this command removes tagging on a native VLAN.
    View this on Arubanetworks >



  • 2.  RE: Tagged Native VLAN on a CX Switch

    Posted Jul 03, 2023 04:52 AM

    Personally I prefer the latter (your Option 2): by tagging the Native VLAN id of an interface operating in "Trunk Mode" you are mitigating the VLAN hopping security exploit (dual tagging technique); de-facto you are forcing the only one untagged VLAN id of that interface (to me Native VLAN Id = Port VLAN Id = Untagged VLAN Id) to be tagged and so leaving that very interface carrying only tagged VLAN Id(s).


    Original Message


  • 3.  RE: Tagged Native VLAN on a CX Switch

    Posted Dec 10, 2023 05:14 AM

    is it not the case that in option 1,

    Vlan 1 will not bounce around :),

    as it is not included in the permitted/allowed Vlan list?

    meaning «vlan trunk native 1» is only showing up in the conguration without any function ? 



    ------------------------------
    Steinar
    ------------------------------

    Original Message


  • 4.  RE: Tagged Native VLAN on a CX Switch

    Posted Dec 10, 2023 06:55 AM
    Technically speaking, in the trunk's allowed list, the default native VLAN 1 (if the VLAN 1 was left as the interface's default native VLAN, thus untagged) could be omitted (read: you should not be forced to explicitly include it along with all the others tagged VLAN Ids you want to allow) otherwise if the native VLAN was changed with respect to Id 1 (selecting another native by untagging another Id or by tagging it with the counter-intuitive "native tag" option) you should explicitly include it in the allowed list...to be honest I personally tend to always include it to be in the safe side...no matter what native is going to be associated with the interface (default native, another native or another native tagged).

    AFAIK...the Option 2 IMHO is to be preferred with respect to Option 1: it is safe to permit only tagged traffic to pass on a interface (in the egress/ingress directions).

    Using a non default native (another native) tagged (and thus de-facto exluding the default native VLAN 1) plus allowing it explicitly (necessarily) along with all other tagged VLAN Ids you require to pass on that interface...would be the best practice to follow. Clearly YMMV...



    Original Message


  • 5.  RE: Tagged Native VLAN on a CX Switch

    Posted Dec 11, 2023 03:36 AM

    I can confirm putting a native VLAN that doesn't appear in the allowed list works. Example below shows no MAC addresses on vlan1 as verification (with same config at both ends). So given most people consider allowing vlan1 to be a bad security move, that configuration would seem appropriate. On Comware you can explicitly remove vlan1 from config which is cleaner but on the CX this is the closest you can get.

    Aggregate lag14 is up
     Admin state is up
     Description : cb1st1
     MAC Address                 : 88:25:10:e6:37:80
     Aggregated-interfaces       : 1/1/4
     Aggregation-key             : 14
     Aggregate mode              : active
     Speed                       : 10000 Mb/s
     qos trust none
     VLAN Mode: native-untagged
     Native VLAN: 1
     Allowed VLAN List: 5,42,52,66,130,180,400


    Original Message


Related Content