LESS ERROR : load error: failed to find /home4/kacole2/public_html/templates/tx_zenith/less/typography.lessLESS ERROR : load error: failed to find /home4/kacole2/public_html/templates/tx_zenith/less/template.lessLESS ERROR : load error: failed to find /home4/kacole2/public_html/templates/tx_zenith/less/responsive.lessLESS ERROR : load error: failed to find /home4/kacole2/public_html/templates/tx_zenith/less/k2.less

Follow Me Icons

 

Follow @KendrickColeman on TwitterConnect on LinkedInWatch My Videos on YouTubeFollow me on FacebookCheck Out My Projects on GitHubStay Up To Date with RSS

Search

BSA 728x90 Center Banner

Cisco Trunks, Native VLANs, Nonegotiate and Security Best Practices

This week i'm taking a Global Knowledge course called Implementing Cisco Switched Networks to prepare for the CCNP SWITCH exam. The class has been pretty good after day 1 with a lot of refreshers talking about vlans, private vlans, trunks, and etherchannel/lacp.

 

In a vSphere environment, setting up network trunks is very important. It's what allows multiple VLANs to traverse the same wire and it's fairly easy to setup. In most of my configurations I never worry about setting up the native vlan because 99% of the time it works without setting it. That's where I found out I've been making a big mistake all along.

 

When you setup a trunk link and do not add the native vlan command to the configuration, a native vlan is actually done for you behind the scenes using vlan 1. This is a concern for many reasons because many other protocols traverse the network on vlan 1 such as Virtual Trunking Protocol (VTP). Also, a best practice is to change VTP to Transparent during initial configuration because by default, switches come in Server mode. VTP can ruin your day if you're not paying attention.

 

 

 

A common VTP config should look like this:

{codecitation style="brush: Bash/shell;"}

vtp mode transparent

vtp domain cisco

vtp password cisco

vlan X,Y,Z (where X,Y,Z are all your VLAN numbers)

{/codecitation}

 

During your switch configuration for trunk links, you should set aside an UNUSED VLAN for native VLAN communication. For instance, use VLAN 99 for native vlan communication, but never allow any machines to ever be connected to VLAN 99. This is a best practice. **UPDATE** After reading Steve Bryen's post below, he makes a great point. I believe that the argument should be that a best practice should be setting a native vlan to anything other than vlan 1. Setting the native vlan is important because it doesn't tag packets over the trunk link.

 

In addition to setting up a native VLAN for trunk links, you should also be disabling trunk negotiation. Dynamic Trunking Protocol (DTP) is useful when the status of a switch on the opposite side may be changing over time, but can also be a security issue because it can allow an attacker to connect to a port and auto-negotiate as a trunk port and see more traffic. By disabling DTP, the trunk is put into a more stable state and it also accelerates convergence time by saving up to two seconds during switch reboots.

 

Another best security practice is to only allow VLANs that need to communicate down the trunk link. Without setting the command switchport trunk allow vlan X,Y,Z, it allows ALL VLANs to traverse that pipe. By restricting the amount of VLANs you are cutting down on security risks and the amount of traffic that can cross those paths.

 

Here are the proper steps to configuring a Cisco trunk link:

  • Configure VLANs
  • Configure trunk mode
  • Disable Trunk Negotiation (DTP)
  • Manually Remove unnecessary vlans from trunks
  • configure native VLAN to an unused VLAN
  • If not using a trunk, disable trunking on ports by using the command switchport mode access

 


{codecitation style="brush: Bash/shell;"}

switch(config)# vlan 5,7-9,99

switch(config-vlan)#vlan 99

switch(config-vlan)#name NATIVE-VLAN

switch(config-vlan)#exit

switch(config)#interface Gi0/1

switch(config-if)#shutdown

switch(config-if)#switchport trunk encapsulation dot1q

switch(config-if)#switchport trunk nonegotiate

switch(config-if)#switchport mode trunk

switch(config-if)#switchport trunk native vlan 99

switch(config-if)#switchport trunk allowed vlan 5,7-9,99

switch(config-if)#no shutdown

{/codecitation}

Related Items

Related Tags

LESS ERROR : load error: failed to find /home4/kacole2/public_html/templates/tx_zenith/less/styles/blue.lessLESS ERROR : load error: failed to find /home4/kacole2/public_html/templates/tx_zenith/less/styles/green.lessLESS ERROR : load error: failed to find /home4/kacole2/public_html/templates/tx_zenith/less/styles/orange.lessLESS ERROR : load error: failed to find /home4/kacole2/public_html/templates/tx_zenith/less/styles/purple.less