[CentOS] VLAN issue

SilverTip257

silvertip257 at gmail.com
Tue Jan 27 15:13:19 UTC 2015


On Mon, Jan 26, 2015 at 3:50 PM, Gordon Messmer <gordon.messmer at gmail.com>
wrote:

> On 01/25/2015 04:20 PM, Boris Epstein wrote:
>
>> I have resolved this, finally. The problem was that I configured VLAN 48
>> as
>> the native VLAN on the trunk port.That was a mistake as apparently the
>> native VLAN is the one where Cisco does not bother to tag packets.
>>
>
> That's not a mistake, per se.  Having vlan 48 as the native vlan just
> means that you'd want 192.168.48.100 on eth0 instead of eth0.48.


+1

If it were me, I'd opt for setting the native vlan to 48 for that port.
It's simpler and avoids having vlan1 to deal with.


>
>
>  For now I set the native VLAN to VLAN 1 and that works.
>>
>
> As long as you aren't concerned about the security implications of that
> host having access to vlan 1, that seems pretty reasonable.  The system
> will get some extra broadcast traffic, but the ethernet card will probably
> filter those out so that they don't have to be processed.


Boris could just set what vlans are allowed on the trunk port to his server.
Just allow vlans 48, 49, and 50 and not others

! by default your switch trunks on vlan 1 to 4094
! now to allow it only on the three vlans you specifically specified
(48,49,50)
switchport trunk allowed vlan remove 1-47,51-4094
! if you chose to tell it not to trunk any vlans, you'd disconnect your
telnet/ssh
! session as well as cause a service outage ... so don't do that!
!
! also realize that Cisco smuggles some data via VLAN1 [0], so there still
will likely be traffic on VLAN1
!
! now that port should not be trunking on ALL vlans ... just 48,49,50
show int Gi1/0/3 switchport
show int Gi1/0/3 trunk


As far as security goes ...
Leaving vlan1 usable when it does not need to be is akin to locking most of
the doors at your home, but not all of them.

1) by default (most?) switches have all ports in vlan1 ... so somebody
plugs in a new switch and could potentially communicate with your server.
2) If someone compromises that server, now they have a trunk port to have
lots of fun with (create more vlan interfaces and sniff/spoof traffic).


[0]
https://supportforums.cisco.com/discussion/9118321/disabling-vlan1-across-trunks

-- 
---~~.~~---
Mike
//  SilverTip257  //



More information about the CentOS mailing list